How To Implement Role-Based Security Awareness Training
By: Larry Kinkaid, manager, cybersecurity consulting
At every organization, different employees have different responsibilities. In order to be successful and do their job correctly, each employee must understand exactly what their job entails and what their unique responsibilities are.. You wouldn’t ask a sales executive to develop software, just like you wouldn’t ask your software developers to run HR processes.
This holds true when it comes to security training, too. According to the 2023 Verizon Data Breach Investigations Report (DBIR), 74% of data breaches have a human element. Because of this risk, effective security training is essential for every organization. Tailoring security training to each employee’s specific role and responsibilities can make security training more engaging and effective.
Role-based security awareness training is exactly what it sounds like. Since employees have unique responsibilities and interact with different systems and data in their roles, they need to know different things about security. Simply educating a DevOps engineer on how to identify social engineering attacks isn’t enough—they should also know how to apply security in each aspect of their day-to-day jobs.
How should organizations determine which roles need specific training? The first step is to identify any sensitive information within your organization. Next, identify which roles interact with that sensitive information, and use that to determine who will need tailored or specific security training.
For many organizations, compliance requirements are an easy place to begin this process. While security training should never be a check-the-box exercise, compliance can help guide role-based security training. For example, if your organization processes, transmits, or stores protected health information (PHI), it must comply with HIPAA. Determine who interacts with that data and ensure they are trained to understand how to appropriately handle PHI under HIPAA.
Everyone who works from a computer and has an email account should undergo basic security training. Other roles to consider include:
- Developers: All developers should be trained in the preferred security standard based on the kinds of development activities. For example, the Open Web Application Security Project (OWASP) standard provides developers with the necessary controls and requirements for secure development.
- Accountants and Finance Personnel: According to the DBIR, financial gain is the most common motive of threat actors involved in data breaches. Employees with access to financial information are likely to be the target of phishing attacks or other social engineering scams, and should be trained to recognize various threats.
- Human Resources (HR): HR employees typically have access to personal information for other employees and staff, including data like Social Security numbers, addresses, and other sensitive information. HR employees should be trained to understand why a threat actor may want access to HR accounts and how to avoid falling trap to social engineering scams.
- Privileged Access Users: Anyone with privileged access to systems, such as a system administrator, should receive tailored security training on how to ensure they’re keeping the systems they are responsible for secure. If an attacker were to gain access to a privileged user’s credentials, the attacker could potentially wreak havoc on a system by shutting it down, installing malware, or holding the system for ransom. Privileged access users include IT personnel who are responsible for maintaining the systems and devices that support the business objectives.
Some companies may have employees who don’t use a computer for work and may not require basic IT security training. For those employees, figure out what IT exposure they do have, and give them a one-pager outlining expectations and responsibilities. For example, a night janitor doesn’t need to undergo OWASP training, but they should have a basic understanding of other security risks, such as what to do in a situation where another employee left their work laptop unattended overnight and how to handle physical security at the organization’s facilities.
There are plenty of tools to help organizations implement role-based security training to varying degrees of cost and effectiveness. BARR’s partner Curricula has a free, basic security awareness training available to organizations of all sizes, as well as a number of more specific training episodes that can be used for role-based training on topics such as privacy and HIPAA training.
Role-based security awareness training doesn’t need to be an expensive investment or tedious task for your employees. It can be as simple as starting a book club for developers who can meet on a bi-weekly or monthly basis to discuss educational books on secure development. At a minimum, employees should receive training appropriate to their role upon hire and annually thereafter. The goal is to be engaging and effective, not dull and time-consuming.
Measuring the effectiveness of role-based security training
Once role-based security training is implemented, how does your organization know if it’s successful? There are a few metrics for measuring the success of a training program, including the number of people who completed their training and the amount of time it takes for an employee to complete the training after onboarding.
Organizations can also measure the increase in security reports. When employees are reporting security issues or phishing emails, it shows the organization that security training is actually working.
Finally, security teams should also solicit feedback from their employees. Did they enjoy the training and feel empowered by it? How could it be improved? Real-time feedback can help leadership determine any necessary changes to security awareness training.
Benefits of customized security training
Role-based security awareness training can be more effective than forcing all employees to undergo the same lengthy, boring training. Let’s take a look at some of the benefits organizations can expect after implementing role-based security training.
- Increased engagement: According to the DBIR, the majority of training took employees twice as long as they thought it would. The length of a training program doesn’t equate to the value of the training. Role-based training makes security training more engaging by teaching employees what they need to know based on their roles.
- Better use of time and resources: It would be a waste of time and money for a marketing intern to undergo OWASP training. Instead, they should learn basic security best practices that are directly relevant to their role. Role-based security training treats each risk appropriately.
- Improve security culture: Role-based security awareness training shows your employees that security is important to your organization and empowers them with the education they need to mitigate security risks. It can also help employees loosen up the dialogue around security, teaching them to not be afraid to admit security issues when they arise and the value of transparency.
Interested in learning more about role-based security awareness training? Speak with a BARR specialist today.
About the Author
Larry Kinkaid
Manager, Cybersecurity Consulting
As manager for BARR’s cybersecurity consulting practice, Larry supports small-to-medium sized and enterprise companies in need of a virtual CISO (or CISO on retainer). He plans and executes various engagements including readiness assessments, policy and procedure documentation, vendor risk management assessments, and external audit assistance.
He is an experienced consulting professional with a history of working in IT governance, risk, and compliance for large companies. He maintains the CISA and CRISC certifications to fortify his reputation as an IT professional in audit and risk. Larry graduated from Bowling Green State University with a Bachelor of Science in Business Administration, Information Systems Auditing and Control, and Management Information Systems.