New Year, New Security Awareness Training—How to Implement a Role-Based Training Program

Originally published by BARR Advisory.

Written by Larry Kinkaid, Manager, Cybersecurity Consulting, BARR Advisory.

As we head into the new year, you might be thinking about your organization’s security and compliance goals. What will you be doing differently? What will remain the same? What do you need for continued success?

Let’s start with security awareness training.

According to the 2023 Verizon Data Breach Investigations Report (DBIR), 74% of data breaches involve a human element. Because of this risk, effective security awareness training is essential for all organizations. Even if you’re already requiring a standard security training for your employees, it’s important to update your training program regularly. Using specific techniques, such as tailoring your training to each employee’s specific role and responsibilities, can make security awareness training more engaging and effective.

Let’s look at how to implement a role-based security awareness training program at your organization this year so all your associates know their specific responsibilities and understand their roles in maintaining security and compliance.

What is Role-Based Security Awareness Training?

Role-based security awareness training is exactly what it sounds like. Since employees have unique responsibilities and interact with different systems and data in their specific roles, they need to know different things about security. Simply educating a DevOps engineer on how to identify social engineering attacks isn’t enough—they should also know how to apply security in each aspect of their day-to-day jobs.

Implementing role-based security awareness training for specific roles

So, how should organizations determine which roles need specific training? The first step is to identify any sensitive information within your organization. Next, identify the roles that interact with that sensitive information to help you determine who will need tailored or specific security training.

For many organizations, compliance requirements are an easy place to begin this process. While security training should never be a check-the-box exercise, compliance can help guide role-based security training. For example, if your organization processes, transmits, or stores protected health information, it must comply with HIPAA. Determine who interacts with that data and ensure they are trained to understand how to appropriately handle data under HIPAA.

Everyone who works from a computer and has an email account should undergo basic security training. Other specific roles to consider include:

• Developers: All developers should be trained in the preferred security standard based on the kinds of development activities. For example, the Open Web Application Security Project (OWASP) standard provides developers with the necessary controls and requirements for secure development.
• Accountants and finance personnel: According to the DBIR, financial gain is the most common motive of threat actors involved in data breaches. Employees with access to financial information are likely to be the target of phishing attacks or other social engineering scams and should be trained to recognize various threats.
• Human Resources (HR): HR employees typically have access to personal information for other employees and staff, including Social Security numbers, addresses, and other sensitive data. HR employees should be trained to understand why a threat actor may want access to HR accounts and how to avoid falling for social engineering scams.
• Privileged access users: Anyone with privileged access to systems, such as system administrators, should receive tailored security training to ensure they secure the systems they are responsible for. If an attacker were to gain access to a privileged user’s credentials, the attacker could potentially wreak havoc on a system by shutting it down, installing malware, or holding the system for ransom. This includes IT personnel responsible for maintaining the systems and devices supporting the business objectives.

Some organizations may have employees who don’t use a computer for work and may not require basic IT security training. For those employees, figure out what IT exposure they do have, and give them a one-pager outlining expectations and responsibilities. For example, a night janitor doesn’t need to undergo OWASP training. Still, they should have a basic understanding of other security risks, such as what to do when another employee leaves their work laptop unattended overnight and requirements for physical security at the organization’s facilities.

Tools and Tactics for Implementing Role-Based Security Awareness Training

There are plenty of tools to help organizations implement role-based security training to varying degrees of cost and effectiveness. BARR’s partner Curricula has a free, basic security awareness training available to organizations of all sizes and several more specific training episodes that can be used for role-based training such as privacy and HIPAA training.

Role-based security awareness training doesn’t need to be an expensive investment or tedious task for your employees. It can be as simple as starting a book club for developers to discuss educational resources on secure development. At a minimum, employees should receive training appropriate to their role upon hire and annually thereafter. The goal is to be engaging and effective, not dull and time-consuming.

Measuring the effectiveness of role-based security training

Once role-based security training is implemented, how does your organization know if it’s successful? There are a few metrics for measuring the success of a training program, including the number of people who completed their training and the time it takes for an employee to complete the training after onboarding.

Organizations can also measure the increase in security reports. When employees report security issues or phishing emails, it shows the organization that security training is working.

Finally, security teams should also solicit feedback from their employees. Did they enjoy the training and feel empowered by it? How could it be improved? Real-time feedback can help leadership determine any necessary changes to security awareness training.

Benefits of Role-Based Security Awareness Training

Role-based security awareness training can be more effective than forcing all employees to undergo the same lengthy, boring training. Let’s take a look at some of the benefits organizations can expect after implementing role-based security training.

• Increased engagement: While some security awareness training programs can be tedious, the length of training doesn’t necessarily equate to the value of the training. Role-based training is more engaging and effective in teaching employees what they need to know based on their roles.
• Better use of time and resources: It would be a waste of time and money for all employees to be trained in all security measures. Instead, team members should learn the basics of security training directly relevant to their role. Role-based security training treats each risk appropriately.
• Improve security culture: Role-based security awareness training shows your employees that security is essential to your organization and empowers them with the education they need to measure and mitigate security risks and gain traction with continuous improvement. It can also help employees loosen up the dialogue around security, teaching them not to be afraid to admit security issues when they arise and the value of transparency.