10 Phases of Organizational Security Awareness | Antivirus

Security awareness as a term is quite an old construct. As early as 1992, the OECD spoke of awareness of risks in connection with information systems in its guidelines for the security of information systems. After more than 10 years of experience in providing training materials for security awareness and through the feedback from tens of thousands of customers via our platform, we have seen some progress in organizational security awareness over time.

The speed of this progression varies depending on the size of the organization, location, and industry, but similar patterns can be observed. In certain cases, some steps are omitted. In other cases, a few steps are taken to do this at the same time. Ultimately, most organizations end up with the same scenario. The organizational security awareness can be divided into 10 phases and the individual phases can be used to determine in which the organization is currently.

 

1) Increased Technical Awareness for Information Security and Its Professionals

Information security and IT experts are among the first to be affected. Infected workstations and ransomware attacks make life difficult for them. Many of these professionals see the need to instill security awareness but are sometimes discouraged by the impractical, old-fashioned practice of sending users through 15-minute compliance-focused training. Also, these professionals understand the risks of relying only on IT-based IT security.

2) Provision of Awareness Content for End-Users

The first measures primarily include PowerPoint presentations in darkened training rooms. The results of this type of knowledge transfer are usually not very effective, but are seen as the first important step to create at least a few basics.

3) Platform Automation Enables Compliance Requirements

The automation of the processes for providing training through an (internal or external) Learning Management System (LMS) is a second step and marks the third phase. This makes it easier to meet compliance requirements. This depends heavily on the size of the organization; larger companies have an on-premise or cloud-based LMS that is used for general training purposes.

4) Continuous Testing

This phase shows a clear shift in the direction of the “zero trust” model. Employees are frequently tested after the training to ensure that the knowledge they have acquired has actually stuck.

 

5) Technology Support

In this phase, “phish alarm buttons” are provided in the end-users' email clients so that they can report any phishing emails to the incident response team or the SOC, which in turn can take countermeasures. In this case, technology to support employees serves as a tool; only those who can use it properly can use it. Training is also required for this and the employees must gain experience in handling it to be able to use it correctly. In the end, however, people always have to make their own decisions, technology doesn't do that for them.

6) Security Orchestration

In the next phase, these reported emails are integrated into a security “workstream” that quickly assesses the level of risk. In the event of a threat, the inboxes of all users can be accessed automatically in order to render malicious messages harmless before further damage occurs.

7) Advanced Management of User Behavior

With detailed risk metrics for both individual users and user groups, companies can now create tailored campaigns based on observed risk behavior. An example of this is scanning the dark web for hijacked login data. Also, incorrect password behavior is pointed out in this phase and individual training modules are sent to identified high-risk employees.

8) Adaptive Learning Experience

The next phase is to provide the end-user with a localized user interface where they can see their individual risk score, receive awards, and attend training. In this phase, advanced metrics also enable ML and AI-controlled campaigns, in which each user receives highly individualized security awareness training.

9) Active Participation of The Employee in The Overall Security Situation

Here the user becomes aware of his role in the defense of his company and actively opts for additional training to reduce his risk score. Employees take part in security awareness campaigns and become local awareness champions. In the end, there is the realization that you have become the endpoint yourself.

Protect your organization by installing antivirus.

10) The Employee as A Human Firewall

Every employee is well aware of the risks associated with cybersecurity and makes smart security decisions every day based on a clear understanding of those risks. The current work from the home situation has significantly accelerated the need to achieve this goal with as many employees as possible.