Security Awareness Blog

What Is a LMS?

One of the most common questions I get working on security awareness programs is "What is an LMS and why do I care"? Lets take a moment and answer that question. Often most security programs have two shared goals. The first goal is to change behaviors of employees, to create a more secure environment. If employees are aware they are a target and what they can do to protect themselves, organizations will be less likely to be compromised. The second goal is compliance, to meet certain standards or regulations that require an awareness program, such as PCI DSS or ISO 27001. Such standards require organizations prove they have an active awareness program and document which employees have been through the training. This is where a LMS comes in.

A LMS (Learning Management System) is really nothing more then a software application used to manage, distribute and track online training. Organizations take their security training videos and then load them into their LMS (or one hosted by someone else). Each employee is then given a login and password to the LMS. They are then required to login to take the training. As a result, organizations can now track who took what training when, and if there are quizes what the employee's score was and if they passed. Thats it. Some LMS's have far more advanced functionality (such as offering courseware at universities) but for the world of security awareness this is usually what I see it used for. There are many different vendors for LMS software (including open source versions). To ensure operatbility they all share a standard called SCORM. If you are considering using a LMS, make sure your security training is SCORM compliant.

Still confused or want to try out a LMS? Just shoot me an email and I'll be happy to give you an LMS account to try.


Posted July 14, 2010 at 10:15 PM | Permalink | Reply


LMS ''" an excuse that says "we tried to train them, but they still don't follow the training", while providing lame security training with bad advice.
Including telling you to accept cookies, Flash, JavaScript, Java, popup windows, and a self-signed SSL certificate, in order to take the training.
Oh, and download this .doc file with macros for detailed instructions on how to take the training. From a third-party web site you've never heard of.
Then provide a test at the end, where most of the questions weren't covered in the training. And you need 80% correct to pass.
Really. Been there, done that, many years in a row.
I'm not sure we're making progress here.