The way we work today is completely different from the way things were 20 years ago. Nowadays we expect to be able to read emails on our phones, participate in global video conferences while on our summer hols and order goods online. In a short space of time we’ve managed to streamline our way of working. The problem is that many companies are still using the same internal training methods that were popular back when we were listening to music on cassettes.

Four ways to create an effective information security training programme:

1.Analyse the current situation. Delivering training that fails to meet the needs of the target group is a waste of time. Employees need training that is tailored to their needs and their reality at work.

2. Plan. Not all employees have access to the same information and the consequences of incorrect behaviour vary depending on the employee’s position. A company whose work is risk-based usually categorizes its employees into three levels, depending on their access to information and level of influence at the company. The training initiatives are then adapted to the needs of each risk group.

3. Change behaviour. The purpose of training and information initiatives is to change employee behaviour. A common misconception is that more information is synonymous with improved security awareness. Changing people’s behaviour requires the use of educational tools, such as:

- Cyber security roadmaps, practical security tips that employees can consult when they come up against various risks, for example phishing.

- Dialogue maps, a workshop tool in which the team discusses the dilemmas and challenges relating to their security work in day-to-day operations.

- An educational intranet, where employees can easily search for information when they really need it, which can reduce training time.

4. Measure and optimize the effect. Modern research has developed methods for measuring actual changes in employee behaviour. Indicative scenario methods allow you to evaluate the effects of training and prioritize future initiatives.
Employees are often portrayed as the weakest link in security efforts, but they are also the key to an appropriate and dynamic level of security. The question is whether your organization is relying on outdated techniques to manage current and future challenges.

Listen to the Combitech podcast [Swedish only], in which my colleagues and I talk more about security awareness and social engineering