Moving the needle on cybersecurity awareness training
Cybersecurity awareness training helps protect the critical infrastructure of our institutions. Raising awareness for administrators, educators, and students of the sophisticated tactics used by criminals invalidates them. Users who know reporting procedures positively impacts response time. Better understanding of standards improves policy adoption. Completion of cybersecurity awareness training also ties directly to the insurability of an institution. In nearly all cases increasing completion of training is a win-win as safer practices protect users and the institution.
What threshold of compliance is enough?
In recent discussions among the CIOs, currently we are seeing that level of cybersecurity awareness training on campus for staff and faculty varies, with the top level of compliance hovering around the 80% mark. The numbers by institution have been consistent over the past several cycles and now there is a push to gain the wins of having increased completion of training by students, faculty and staff at all institutions. That push is coming from a place of concern for all the reasons mentioned above - protecting people and information. How do you define successful compliance? What is your target set at? 80%? 100%? What broad strategies will you undertake to move the needle towards success?
PATH 1: The STICK
Some may reach for the stick or banhammer. If a member of the institution does not complete training, remove their access. Going down this path has its advantageous, but its outcomes should be considered. It will gain a rapid uptick in completion of the training. By definition 100% of active users will have completed the cybersecurity awareness training because it is required to be a user. But, who owns the decision to end access? IT can pull the plug but if ownership of that decision is entirely within IT, but IT runs the risk of being perceived as a faceless goon that has stolen your ability to work and now their asking you to complete a training course to get it back? Users will complete the training and gain a continued resentment for forced compliance.
PATH 2: The CARROT
Others will try to demonstrate the value of cybersecurity awareness training. Reaching out with demonstrations benefits, easy-of-compliance, and explanation. Going down this path has its positive elements but its outcomes should be considered. Evidence in our conversation suggests that there is an upper limit to voluntary adoption of training that hovers around 80%. Exceeding that threshold is likely to have an exponential cost curve that may limit itself well before 100% of the users are trained. This creates a multi-dimensional balance point that needs to weigh risks and costs. It is a decision that ultimately needs the endorsement from the highest levels of the institution. Is there an unlimited budget to go out and find those last few users?
Path 3: creative approaches
Some institutions have had success using carrots or sticks. Others have seen results using more unconventional or creative approaches. For example, some might offer levels of certification, breaking the training into more manageable sized chunks and get attestations in writing at each stage. Or, they might take the competitive approach by sharing dashboards (e.g. multi-factor authentication rollout by department) to university leadership and make an example of those that are compliant and those that are lagging behind, as seeing where you are in relation to others creates action.
Summary
Many institutions blend approaches when it comes to staff and faculty training, obtaining the camaraderie of voluntary compliance while needing the guarantees of forced adoption. In the absence of legislative or regulatory backing, it makes it challenging to move the needle.
We might not all agree on the approach, but we can all agree on the importance of cybersecurity awareness training.
The dashboard competition
Attest in writing
Your feedback is welcome!
There is a lot to consider for this and all policy cases. Coming with to the table with information about the costs of increasing compliance, successful tactics for gaining that compliance, and an understanding of industry standard helps alleviate some of the decision making pressure.
If you have other solutions for moving the needle on cybersecurity awareness training, or for other policy uptake we would love to hear them! Click here to start sharing your ideas right away. If you’d like to be a part of the discussions of our community of over 1,000 higher education IT professionals you can click here.
CUCCIO is a community of higher education IT professionals. Our 74 member institutions represent more than 90% of Canada’s university students, faculty and staff.