Cyber security awareness is known to reduce risk. You know you need to incorporate it within your organization, you may even have something in place. Now what? Do you have defined cyber security awareness goals? Are these goals being met? In our 2016 white paper, Security Awareness and Training: Solving the Unintentional Insider Threat, we offer a structure to evaluate the current state of your security awareness program: NIST Cybersecurity Framework’s tiered approach.

Tier 1 Partial

Security awareness and training is ad hoc or reactive. User education may only take place after an incident (e.g. a mass e-mail is sent after someone has been infected with ransomware).

There is limited awareness of risk at the organizational level, and there may be a lack of support for an awareness and training program (i.e. computer security is seen as an IT function only).

Tier 2 Risk Informed

Awareness may be delivered through periodic newsletters or posted to an intranet portal without tracking user participation. No formal curriculum is defined.

Support for a program has been approved, but no policy has been adopted by the organization.

Tier 3 Repeatable

Awareness and training is mandatory for everyone and is tracked.

Training may be updated based on changes in technology, changes to security controls, and new threats.

A formal policy is in place which includes periodic reviews and updates.

Tier 4 Adaptive

Awareness and training is mandatory for everyone and is tracked and measured.

Training is updated based on feedback, changes in technology, changes to security controls, and new threats.

A formal policy is in place which includes periodic reviews and updates.

How does your program measure up? Are you happy with where you are? If not, we can help.