Strategy: Justifying Security Training
Justifying Security Training
Consider two fictional companies: ABC Co. and XYZ Inc. ABC's idea of security-awareness training is having new employees initial the corporate policies and procedures on their first day on the job, with no follow-up on how well they understand or even if they read everything.
XYZ, on the other hand, provides computer-based and classroom training, newsletters and scored tests to its employees at least once a year. If an employee skips training, there are repercussions. So which company has the most effective training program? Which stance is the better predicator of the company's overall security effectiveness?
One could guess which is the more effective approach, but guessing doesn’t get funds—and XYZ's approach is clearly much more expensive. That's why last year I conducted doctoral research to identify the security-awareness training components that are the strongest predictors for security effectiveness. This report combines that research with other studies to provide a guide for implementing effective security-awareness training.(S3761111)