b'Cybersecurity CSIA 9areas of cyber-hygiene. are assessed on their likelihood to follow the principles taught.Theideabehindawarenesstrainingis,Change everyones reflexes,Bihya said. If I see an emailKronrecommendedthatHRdepartmentsfind with a link, my reflex should be to not click on thewaystoautomatetrainingassignmentsanduse link. positivemessagingwhencommunicatingabout suchprograms.Havingleadershipreinforcethe With human error being the path of least resistanceimportance of education and training programs can for cybercriminals, the need to bring awareness andalso improve completion rates and reduce the effort education to employees through security awarenessrequired to ensure people are doing the training. training has been given more priority. It has becomeKronfavorsthedeploymentofshortertraining clear that annual lunch-and-learn trainings are nosessions more often and with a more targeted and longer enough. thought-out approach.WhileprovidingpeopleinformationdoeshaveUnlike in the past, different types of training are now value,changingbehaviorshouldbethefocusofbeing developed to communicate with employees in an awareness program, said Erich Kron, securitythe form of games, animation, live-action teaching awarenessadvocateatcybersecuritytrainingandevenseason-andepisode-formattedshows firmKnowBe4.Educationshouldnotbelimitedthat look like high-quality television productions, he to topics that focus on email phishing, but also tosaid.overallsecurityhygiene,includinghowtosecure accounts with multifactor authentication (MFA) andIn addition, AI components are being introduced to how to use tools such as password vaults to createtailor content provided to employees, based on their long, secure, and especially unique passwords. own specific areas of weakness or the latest threat vectors.Anotherdevelopmentispoint-of-failure The Evolution of Security Awareness Training training to provide real-time guidance as to why an action taken by an employee could be dangerous. Inrecentyears,securityawarenesstraininghasThishelpspeoplebetterunderstandthethreats evolved to incorporate adult learning principles andthey face and the purpose of the policies or security elements such as: controls they may have inadvertently violated, or theCENTRAL STATES INSULATION ASSOCIATIONreason for the simulated attacks. Continuous awareness, training and education on the cyberthreat landscape. Rather than text,Securityawarenesshasbeguntoblendinto mosttrainingmodulesuseaudioandvisualprograms related to physical safety and awareness, elements with characters acting out scenariosKronsaid.Justlikesafetycampaignsthathave of good and bad behavior. been run for decades to warn people of dangers frommachinery,chemicalsandotherphysicalAn opportunity to apply what has been learnedthreats, digital dangers will also be addressed in using simulated programs, where fake phishingthe same way with signage and coordinated, highly emails are sent out at random times to peoplevisible campaigns.in the organization to see how many are tricked into clicking on malicious attachments and links. Drew Robb is a freelance writer in Clearwater, Fla., specializing in IT and business. Assessments and quizzes. At the end of each section of training, the employee answers a fewReprinted with permission from SHRM.org. questions to see if they have understood the 2023. All rights reserved.concepts. Then at the end of the module, they csiaonline.org'