If there’s one thing you should bear in mind when developing and deploying security awareness education, it’s this - don’t do generic. The main reasons why you should avoid generic (whether downloaded for free or subscribed to by many of the vendors who are supplying commodity content) are:
- It will have little relevance to the audience in YOUR organisation and will it will be obvious to participants that it is a generic programme smacking your logo on the content won’t fool anyone into believing that the content has been customised for your organisation)
- It’s unlikely to use your organisation’s language and terminology and give the appearance that “this does not belong here”
- It won’t be targeted for specific activities conducted in different areas of your organisation: some departments will be affected by GDPR issues, some with PCI-DSS compliance and others may have specific regulatory issues associated with the information they acquire, hold and process. This is an area where you can quickly lose credibility with course participants.
- It will be too long for most participants. While there are common topics that must be covered, participants will want to be focussed on issues that apply to them, their jobs and, hence, the information they handle on a daily basis. Using "all things to all people" content will cause attention to drift and you will lose your audience.
So, to bespoke your training to your organisation:
- Break it up into a series of modules that consist of a general overview which then provides “streams” for specific activities
- Keep modules short and focussed on what participants need to know. Details of standards and regulations may be interesting to specialists like you, but won’t be relevant to the target audience of your awareness programme.
- Keep it risk based – focus on the threats that have been identified for your organisation, your industry and the type of threats that your participants are likely to encounter.
Tailoring your security awareness programme delivery to the needs of your organisation will send out several positive messages to participants:
- That you have put in the effort to create relevant educational resources
- That you have bothered to think about THEIR needs
- That you are operating on the principle of supporting your colleagues in an educational process rather than “box-ticking”
These and other issues associated with the development and deployment of security awareness programmes are covered in my Cybray course : "Creating Effective User Awareness Training"