Training Principles

"Changing Employee Behavior From The Predictable To The Secure!"

The CfISA course is a unique approach to security awareness training, blending security best practices and customer-specific security policies with behavioral psychology, compelling storytelling, and rich interactive media.

The course is based on five fundamental principles:

1. In order for security awareness to work, ideally most or all of the time, “thinking security” must become instinctive, and as second nature as being polite to customers.
2. In order for employees to start behaving securely, their current behavior must be modified or security rules will never work.
3. For behavior to become instinctive employees must change their attitude to and perception of both the challenge and the outcome.
4. In order to modify security behavior, employees must feel a relevant, personal, and direct connection to the outcome.
5. Training must be packaged properly to achieve that outcome.

In order to meet the challenge of behavioral change employers must first understand the nature of behavior, why employees do the things they do, and don’t do the things they know they should.

We believe that employee security awareness continues to fail for the following reasons:

• Most organizations still don’t have a culture of security, or "security saturation," thus leaving awareness training to survive in isolation.
• Training is rarely frequent enough to have any effect on behavioral change.
• Trainers usually focus on enforcing rules, not changing behavior.
• Most security trainers are poor and unconvincing communicators.

How we apply these principles:
The first part of the course focuses on the behavior challenges; helping employees make a personal connection with cybercrime and workplace security; understanding who commits these crimes and what their motives are; understanding why exploiting predictable employee behavior is critical to committing these crimes; and why modifying personal behavior can be so powerful in preventing these crimes.

The second part of the course then focuses on the rules, and how they contribute to behavioral change and better workplace security. It addresses all the key security vulnerabilities, including web and e-mail use, passwords, data classification and protection, social engineering, preventing computer viruses and spam, security outside the office, personal workspace security, acceptable use of electronic resources and more.