Are employees being treated with the same seriousness as we are other threats to the organization? Have organizations forgotten about the human element, the weakest link in security as a critical factor?


Traditionally, security training have been mostly concerned about technology and processes – particularly SOP-driven.

Now, it is really the time to look at the people – the highest threat to the organization, but we don’t necessarily treat them like any other threat vector.

Employees should generally be guided to do the right thing and effective security awareness training should therefore be tailored for a variety of situations

Effective security awareness training starts with a risk assessment. We need to understand what are the most valuable assets are so we can better craft a plan to protect them.

Identify the risks, and align the training around those – by implementing a Training Need Analysis. There shouldn’t be a ‘one-size fits all’ training that is given to different levels of competency.

Executives, for example, need certain training that others in the organization may not.

On the ground, hands-on operations staffs such as receptionists, security guards and call center employees may need extra training around social engineering risks, while human resources employees may need particular training about handling personally identifiable information (PII), which is one of the important requirements under the Personal Data Protection Act (PDPA) 2010.

Once the needs have been identified, a customized program of continuous education should be crafted around it.

Security awareness training isn’t something that will work if it is a mere 30 minutes, once a year recurrent program, which many will say it doesn’t work.

Why should we expect it to work in the first place?

While a 30 minutes, once a year security awareness training program may be a foundational training, but the overall training program needs to be one of reinforcement that they can then apply on the job. Foundational training can be helpful especially to new employees and acts as a refresher to security best practices that they can use at home to protect their children and other family members.

Tie in that emotional hook — make it real and personal. Effective security awareness training needs to be implemented as an overall program, not an event.

Behavior analytics or predictive indicator analysis on suspicious activities can play a key role in a continuous program that adapts to the risks that employees face. This kind of program can increase state of awareness when employees engage in certain activities.

It is also essential to treat the security awareness program as a communication exercise, essentially as a change management problem. For example, different departments may not be overly familiar with security functions and may not have the skills to effectively implement and monitor suspicious activities.

You can read about my experience in my previous post where I implemented a customized security awareness training program for different levels of employee across different departments (Change Management with Ishikawa and Herzberg – My Marriott Loss Prevention Experience).