Cyber Security Today, Oct. 2, 2023 – How to create a cybersecurity awareness program

Share post:

Advice for creating a cybersecurity awareness program.

Welcome to Cyber Security Today. It’s Monday, October 2nd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for and in the U.S.


Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

October is Cyber Security Awareness Month for … well, for everyone: Youngsters, consumers, employees and management.

But on this episode I want to focus on IT and corporate management. IT because it often delivers security awareness material, and senior management because it’s their job to make sure the entire organization sees the value of training.

Of course the CEO, the president and the vice-presidents are aware of the importance of cybersecurity. That’s not the point. The point is for any organization to successfully fight cyber attacks and data privacy violations there has to be a formal cybersecurity awareness program pointing out company policies for all staff. And support for it has to come from senior management. At the very least that means senior management has to show up regularly at awareness training sessions. And management has to show that it follows the same practices employees have to obey.

Here’s another way: If the CEO is seen by employees as a highly respected leader of the company who has a regular blog or newsletter, a good way to spread cybersecurity messages is to include them there.

What makes a successful awareness program? To answer that I’ve turned to a book called You Can Stop Stupid by Ira Winkler and Tracy Brown.

They start with what an awareness program shouldn’t be: A checkbox to meet compliance regulations. That is, checking ‘Yes, we held one cybersecurity awareness training session every month in the past year.’

RELATED CONTENT: Tips to improve your awareness program

What should a program do? Tell users how to do their job correctly, say the authors, not describe ways they can do it wrong. So, training should not only be about how to recognize a phishing message, but what to do about it.

An awareness program’s goal is to change employee behaviour: For example, to stop clicking on attachments, or downloading unapproved apps or having bad passwords — whatever is important in your organization.

And the best way to make sure behaviour is changing is to have metrics. Metrics on what current staff behaviour is, and then metrics on whether training is changing that behaviour.

By the way, a good thing about metrics is they can help show management the return on investment of training.

RELATED CONTENT: Advice from RSA Conference

Remember, what’s needed are useful metrics. Attendance metrics may show who isn’t going to meetings, but not much more. Satisfaction metrics, like ranking employee satisfaction with a training session, may have limited usefulness. Knowledge metrics, like having staff take a short quiz after a training session, may show if a message is getting across but won’t show if it’s sticking. That’s why measuring behavior changes is vital. For example, are staff reporting receiving more suspicious email messages? Are they downloading fewer unapproved apps?

Metrics will also show what parts of the program are most effective: Computer training, phishing tests, lunch and learns, newsletters, social media blasts, posters etc.

One employee aid, the authors note, is setting up an internal online security library with documents and videos that staff can turn to for advice — things like how to keep a computer secure, how to change a privacy feature, how many times their password needs to be changed, how to see if a URL is legitimate. But the library has to be kept up to date.

One other other thing: It may be smart to tailor awareness program for certain departments or different geographies the organization operates in. Awareness

The authors of You Can Stop Stupid say it’s very likely you won’t get your awareness program right the first time. That’s one reason why training should be done every three months — so you can measure what’s working. Don’t be surprised to find you need to adapt your program to bring in new concepts, ideas and business drivers.

How can you create an awareness program? The U.S. National Institute of Standards and Technology, otherwise known as NIST, has had a 70-page guide since 2003. It’s being updated and renamed as Building a Cybersecurity and Privacy Learning Program. There’s also a 20-page guide called Building a Cybersecurity Awareness Program from the Carnegie Mellon Software Engineering Institute.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

If your organization is holding special programs for Cybersecurity Awareness Month, here’s material from the Canadian Centre for Cyber Security and from the U.S. Cybersecurity and Infrastructure Security Agency.

The post Cyber Security Today, Oct. 2, 2023 – How to create a cybersecurity awareness program first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Breaking news: RCMP facing ‘alarming’ cyber attack

The RCMP is facing a serious cyber attack from an unspecified threat actor. The Mounties told CBC News today that a “breach of this magnitude is alarming.” “The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson

Hashtag Trending Feb.23- Companies losing top talent with long hiring processes; Intel – the “foundry for the world?”; AT&T outage

(PRE MUSIC ANNOUNCEMENT) If you know me, you know I’m passionate about three things – music, books and data. My interview on the weekend edition hits two of those passions. I read a book called Winning with Data Science, and it blew me away. So, I reached out and managed to get one of the

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways