Week 9: Selling Security Education, Training and Awareness Programs to Users

I’ve frequently heard users complain to one another about the relevance, timeliness, or applicability of the training they just completed while on a break after a mandatory organizational SETA session. As cybersecurity professionals, we understand that SETA programs are a vital part of an organization’s information security posture. Verizon’s survey of databreaches shows that years of SETA programs are having an effect, helping make users more resistant to the temptation to click malicious links and more likely to report them during security audits. However, these connections are not as obvious to our users, who see SETA content as competing with work activities more tied to their core business functions.

There are a few tricks I’ve found to help users take SETA training more seriously. First, by tying information security to the core organizational mission. If you can demonstrate to your users that the impact of the time spent learning about information security benefits the overall mission of the organization, they are less likely to resent the time they are spending away from their primary job. Second, calibrating the training to the users’ level of understanding can go a long way. Too often, SETA training assumes all users have no knowledge coming into the class and ends up being condescending and losing their interest: if you can keep them challenged, they’ll be more likely to stay engaged. Finally, tie the training to everyday tasks that your users are familiar with. If they can see themselves using the training, then it will feel more relevant to them and they will be more likely to pay attention.

If you keep these tips in mind, you can look forward to your next SETA training break secure in the knowledge that your users will be talking about what a breath of fresh air your session has been!