The infosec community has complained about awareness training failures and wasting time and effort on awareness trainings for quite some time. A consensus has emerged that for awareness trainings to work successfully, they need to be measured, they need a clearly defined goal, they need support from the top, and they must be relevant to the end-user.
Knowing this does not necessarily make things easier, and many infosec people I talk to tell me “it’s easier said than done!” The sense they have come from a psychological phenomena that creates stress when we believe we should know how to do something, while in fact we donÃ‚Â´t. And stress can have it’s toll on even the strongest.
Knowing that even if things seem easy (and may in fact be easy too), I have decided to change the landscape using the Security Culture Framework (SCF), a free framework to help build and maintain security culture in any organization.
The SCF consists of four parts, designed to help with the key elements of building a culture of awareness:
Metrics: where you define goals, and how to measure the progress.
Organization: where you set up your team and create top-level support.
Topics: where you choose the content and activities to support your goal.
Planner: where you plan and execute your campaigns.
All this is easy and recognizable, these are things most of us know and do, right? The challenge arise when you need to figure out how to play the four parts, and make them work together.
And that is the focus of the Security Culture Summer School 2014. Starting June 16th and lasting 7 weeks, as a participant in the summer school, you will not only learn how to use the Security Culture Framework to build and maintain security culture in your organization, you will use the SCF to plan and design your own security culture program in such a way that you can start implementing it right after the school is out!
The summer school is virtual, which means you can follow the video lectures at your own pace. We also have a (almost) weekly Google Hangout on Air, where students can ask questions and we discuss the topic of that week.
The workload is likely to be 3-8 hours per week, and you will be working on weekly assignments within all the four fields of the framework, each assignment building on the previous one, and leading to a complete security culture program tailored to your needs.
Help Net Security readers get a 25% rebate using this code.