Okay and we are back to discussing componets to a good internal security awareness program;

Computer Based Training
CBT is the most omnipresent component of security awareness programs, as it is the most clearly accepted method of achieving compliance. Per our past article, this is a case where people confuse Security Training with Security Awareness. CBT provides a set body of knowledge and tests people to ensure short-term memory retention. However the reliance specifically on CBT as a Security Awareness program is what creates the bulk of the criticism about Security Awareness in general. Despite what the critics say, this is still a vital component.


Computer Based Training
CBT can range from 3 minutes to hours long(which I do not suggest the later, as your people will go into I dont care mode after a time) with varying degrees of interactivity. It can summarize the most important lessons you would like your employees to learn. Unless the CBTs are on the shorter side, it is limited to one time per year, as you can't have employees taking extended training on multiple occasions. However, multiple short CBTs can be used to reinforce many concepts throughout the year and can be very valuable.

This next topic is one of the most important componets in my opinion

Security Portal
An internal security portal provides several functions. First it provides a Knowledge base that can be time-consuming to create and maintain, but can provide a huge return on investment with includes information on security related topics, such as securing a mobile device, creating a strong password, and travel security. It is also important to include information on home and personal security strategies, such as protecting children online and securing social media accounts. If you provide information that personally engages employees, the behaviors can translate to secure work habits.
Creating the knowledge base can seem a bit like Sisyphus and the rock, especially since it must also be kept up to date to reflect changing technologies. However, the time is worth it as it engages employees, and provides information that is not being covered by other awareness efforts, but is still important to the employee.
The other critical aspect of a security portal that should be included is a method to contact the security staff with questions. This provides a way for people to report potential incidents, and just reach out with general questions and concerns.