Moving beyond Security Awareness and onward with Security Competence
While Security Awareness is important, the focus on Competence ensures that the employee has real Cyber Security skills that can be applied in a Cyber Risk situation.
Awareness is the know-how of a fact or situation. Whereas, competence is a specific range of skill, knowledge or ability. To develop a strong Cyber Security culture, organizations must go beyond Security Awareness training and help their employees acquire valuable Cyber Security skills.
Awareness and Competence
How much the end user knows and What can the end-user do?
There is a fine line that separates awareness training and competence-based learning. For example;
Awareness: Knowing how a VPN/encryption work…
Competence: Turning on a VPN when connecting from outside the office even if the WiFi connection is encrypted
Awareness: Knowing that fake websites can steal information
Competence: Identifying a fake website even though it may have an SSL certificate
Awareness: Knowing that some mobile apps can sniff/ steal information
Competence: Securing a personal mobile device before activating business email
As it can be seen from the above examples, a “competence” focused approach will give end-users valuable and practically applicable Cyber Security skills. Hence, the question Cyber Security managers must ask is;
“Is my Cyber Security training providing valuable skills to the end-users that they can apply when confronted with real Cyber Risk situations?”
The answer lies in expanding the focus beyond Security Awareness to Security Competence.
Measuring effectiveness using awareness scores alone may be misleading
An important aside that must be covered at this point is the dependence on assessments to measure the effectiveness of Cyber Security training.
Most Cyber Security training programs measure awareness using quizzes. It is important to remember that these assessments are only testing “how much the user knows?”. These assessments do not test “what the user can do?”
Such assessments may lead to a false sense of confidence. And, it is quite normal a practice to make these assessments easy for the end-user to ace.
Using the Learning by Doing method
To build a knowledge base one must acquire experiences
Learning by doing focuses on doing an activity and experiencing an outcome. In effect, this approach helps in acquiring experiences. And, to build a strong knowledge base one must-have experiences.
Learning by doing using 3D Virtual simulations
3D/ Virtual simulations is a practical solution for competence-focused Cyber Security training. Recently, at my company, we started experimenting with simple, practical, everyday Cyber Security risk situations that the end-user can relate to. See an example below.
Hence, the learning by doing approach, when used in Cyber Security training helps the learner to;
- actively involved in a cybersecurity risk situation
- use and sharpen analytical skills to mitigate the risk
- take decisions based on the analysis
- reflect on the outcome of the decision
Despite being positive or negative, the outcome of this approach creates an experience. By acquiring Cyber Security experiences over a period of time, the end-user builds a strong base of Cyber Security knowledge and skills.
Competence-focused Cyber Security training will go beyond awareness in acquiring Cyber Security skills, that may seem simple but is of immense value. Slowly, but surely, over a period of time you will have employees who will know,
- where to look?
- what to click (or, not-to)?
- what to search?
- what to turn-on or turn-off?
…when confronted with a Cyber Security risk.