A security awareness program can be a valuable tool to ensure everyone understands the cyber threat and to reduce the amount of weaknesses that can be exploited by an attacker. Everyone needs to be aware of common threats to avoid becoming a victim of easier scams and phishing attempts. Afterall, end users are an incredibly important aspect of a security program to reduce risks and to prevent cyber threats.

Security awareness programs often get scrutinized when determining their worth. The greatest argument against the awareness program is that no matter how much training users receive, breaches that target end users are still occurring and continue to have a high success rate because people continue to be the weakest link in the cybersecurity chain. Often, it is also pointed out that there is a disconnect between the users’ performance and ability to recognize threats in their behaviors and responses in a real-life environment.

When designing a security awareness program, the important aspect to focus on is not whether security awareness is worth it, but whether the program implemented is effective and really addresses the needs of the community.

Questions to think about include:

• Is the effort supported by leadership?
• Are awareness topics relevant to the individual based on their role in the community?
• Have we educated people on data breach prevention and response?
• Do people know who to contact if they discover a security threat?
• Do people know what constitutes a security threat?

Creating a cybersecurity awareness program for a community is different from creating an awareness program for an organization. Awareness at the organizational level will be focused on supporting the mission and goals for the organization, and primarily train the workforce, partners and possibly customers. In comparison, a community awareness program can be much bigger in scope and the awareness needs will be much more diverse.

If the community awareness program is all inclusive, the program would address small, mid-size and large businesses, local government, emergency services, non-profit organizations, critical infrastructure and the citizens. Overall, the community’s awareness would need to include the cyber threats the community may face and would need to address how these threats can impact the business operations, and critical services they provide. Additionally, the awareness program needs to help the community understand what the potential cascading effects may be and how community services, organizations and citizens may be impacted.

Increasing cybersecurity awareness within the community can be done in many ways.

Organizations in the community can do many of these activities as collaborative efforts. These partnerships will not only build awareness but will also connect people to share information about cybersecurity and build trust among the community members.

• Conferences and Seminars: Partnerships can be established with local universities, community colleges, chambers of commerce or other organizations within the community to hold cybersecurity conferences or seminars. A great timeframe for this is during Cybersecurity Awareness Month in October.
• Games: Cybersecurity games take important and serious concepts and create a fun delivery method to introduce these topics. Games are being used as STEM educational tools for K-12 students. Initiatives such as these are introducing cybersecurity principles and future career possibilities to students that might not otherwise consider this as a career path. An example of a cybersecurity game is:
  • Cyber Threat Defender (CTD), created by the CIAS, is an original product that is transforming classroom conversations about cybersecurity by introducing terminology, concepts and careers in an approachable game-based format.
• Training: Cybersecurity training is an effective tool in building a security culture. There are a variety of types of training available, including traditional instructor-led training with hands-on activities to hone skills on a particular topic. Web-based training is a great option to reach a broad audience and provides training when it’s convenient for the learner. Another type of training is to integrate training into simulators. This is a great way to role-play or provide scenarios for the learner to go through.
• Competitions: Cybersecurity competitions are competitive events that provide an environment for learning cybersecurity. Competitions can be used to hone skills, and to practice technical and decision-making skills to design, configure or protect a network. Competitions start at the middle school level and continue to cybersecurity professional levels. Competitions at the college levels often lead to internships, scholarships and job offers. Some examples are:
  • CyberPatriot is a K-12 program sponsored by the Air Force Association.
  • National Collegiate Cyber Defense Competitions (NCCDC) is a regional collegiate cyber defense competitions conducted throughout the nation. The NCCDC is the largest college-level cyber defense competition in the United States.
  • Code Jam is Google’s global coding competition. “Code Jam calls on programmers around the world to solve challenging, algorithmic puzzles against the clock. Contestants advance to compete at the annual Code Jam World Finals that is held at a different international Google office each year.”
• Internships: A community internship program would coordinate high school, community college and college students interested in cybersecurity and pair them with participating local organizations. These organizations may be looking to find future employees and may want to utilize an internship as a way to evaluate the intern’s work ethic, ability to learn the organization’s culture and processes and fit into the work environment. Whether paid or unpaid, internships are a low-cost way to introduce future talent to the cybersecurity career field. A community internship program is a cost-effective public relations tool and can assist in expanding awareness of cybersecurity throughout the community.
• Education and Degree Programs: More universities and colleges are offering information security, information assurance and cybersecurity degrees. Degrees such as these can grow a capable workforce and expand talent for general Information Technology positions, such as software developers, computer programmers and information systems managers.
• Certifications: Cybersecurity certificationsare credentials earned to show specific skills or knowledge have been obtained. Certifications are typically offered by a professional organization that specializes in a field or technology and require an individual to pass a test to earn the certification.
• Tabletop Exercises: These exercises are often an inexpensive way to build incident response skills and to identify potential discrepancies in plans, processes and training programs. Tabletop exercises are designed to test a hypothetical situation and evaluate the community’s ability to cooperate and work together, as well as test their readiness to respond to the incident presented.
  

Effective Awareness Programs

In addition to measuring the effectiveness of a security awareness program, they should have these qualities:

• need to be fun
• supported by the leadership and focused on changing the behavior of individuals
• interactive (encouraging feedback and ideas)
• the awareness program needs to be sustainable, repeatable and long-term

Security is not a destination; it is a journey, and the progress needs to be measured. Most security programs measure effectiveness by how many people complete training. This really only focuses on attendance. The metrics that should be collected are those that show a change in behavior.

Remember, there are many ways to increasing cybersecurity awareness within the community. And next month, we will discuss Information Sharing in the Community Cyber Security Maturity Model when establishing your community cybersecurity program.