Security Awareness Blog

Security Awareness Training - Primary Communication

Last week I started a new series in security awareness training on how to communicate your awareness program. Even once you identify the most effective security awareness topics for your organization, you will not have an impact unless you effectively communicate those topics. Last week I broke down security awareness communication into two categories, primary and reinforcemnt. Today I would like to focus on primary. The purpose of primary training is two fold. The first is to communicate your program to new hires, contractors or other individuals who are not security aware and do not know company policies. The goal is to make sure everyone is on the same baseline (kind of like basic training in the military). This is often an annual program. In addition the tracking of primary training is often required for compliance purposes, to demonstrate to auditors that everyone is trained. In general the two most common methods for primary training are

On Site Workshops: This is when organizations provide onsite training, usually an instructor led presentation. Training is usually one to three hours long. The advantages of onsite training is it can minimize costs and if you have knowledgable, dynamic speakers it can be one of the most effective means to communicate. There is nothing more exciting then having a highly interactive presentation that gets both speaker and audience working together. The problem is On-Site Workshops do not scale well. If you have 5,000 or even 50,000 employees spread out around the world who will do all the speaking, how will you coordinate getting all these people into rooms at certain times, and do you have the facilities? In addition, you either need dedicated speakers who travel around the world, or you have multiple speakers in multiple locations. The challenge then becomes having high quality instructors that can communicate a consistent message. If you have the resources for onsite workshops, it can be one of the most effective means for primary training. The challenge is usually one of scale.

Online Computer Based Training (CBT): While CBT cannot create the interactive environment that an onsite workshop can, its greatest advantage is that it allows organizations to scale. Employees can take the training when they want, even from home. This ensures you can reach more people, and since the training is online you can easily track who took what training when (important for compliance). In addition it is simpler to ensure you communicate a consistent message to everyone, you can even translate the content so that message is communicated to employees in their native language. You also do not have to worry about locations or facilities, as you no longer have to physically bring speakers and end users together. Interestingly enough, three organization I have worked with in the past six months have also taken the extra step of making their CBT training available to employee families.

Each method has its advantages and disadvantages, which approach is right depends on your organization and your requirements. I have seen some organizations use a combined approach, where onsite workshops are used, but then online training is provided for employees who want to take it again or missed the onsite.


Posted January 28, 2011 at 10:00 PM | Permalink | Reply


There was a recent story where an undercover TSA agent, for $100, successfully bribed JetBlue ticket agent to check a suitcase under a random passenger's name and put it on an airplane. The story is
One conclusion from the article that did not sit well with me was in this line: "Although JetBlue is partly to blame for training issues, this could have happened with almost any airline."
Really???? He wasn't trained???? Does anyone seriously believe the employee wasn't aware this was against the rules????? Does anyone really think this was due to lacking awareness????
The rellevant point being, people need to understand what awareness training is, and what it isn't. It can teach trustworthy people what to do and not to do. It can warn untrustworthy people of the consequences of certain actions. But it cannot turn an untrustworthy person into a trustworthy person.
I thought the timing of reading both this fine article and the TSA article made for an interesting justaposition. If they think the problem with the bribery was a lack of training, then they have the causation all wrong.
Have a nice weekend.