16. Best Practices of Security Awareness Training
Appropriate communication about current and potential threats is needed to keep awareness high.
Methods to Increase Awareness
- Encourage friendly competition between departments to identify the most phishing attempts.
- Provide reminders, such as stress balls with messages like “lock your computer.”
- Use automatic systems that lock computers when users step away.
Training Feedback
- Ensure positive feedback is collected about training.
- Confirm that the training is appropriate and understood.
Leadership Support
- Organizational leaders must understand the importance of training.
- They should promote and improve the information security environment.
Practice and Simulations
- Provide opportunities for personnel to practice what they have learned.
- Use exercises and simulations, such as sending simulated phishing emails.
- Give positive feedback when employees report these emails.
Training Approach
- Awareness training should be a positive experience.
- It should not be punitive (punishing) unless absolutely necessary.
- The approach depends on the organization’s culture and risk profile.