Building a culture of cybersecurity through user awareness training reduces risk to the enterprise and can enhance employee productivity. Awareness training may include education about securing devices, adhering to organizational policies and working with IT resources. This is particularly beneficial to educational institutions such as universities and colleges, which embrace an open learning environment that makes them a prime target for malicious cyberactors.
Princeton University (New Jersey, USA) is one such example. David Sherry, Princeton’s chief information security officer (CISO) and Tara Schaufler, information security and awareness training program manager, identified the following issues within their awareness program:
- Reaching a diverse target audience including students, staff and faculty
- Establishing relationships with security culture influencers
- Overcoming resistance to mandatory security training
- Maturing the awareness program
To address these problems, Sherry and Schaufler needed to publicize the security program, identify effective communications channels, and create high-quality awareness and training content that would be worthwhile for the audience. They also needed to draw the audience to awareness events or communications and deliver training.
As of mid-2020, the initial program pain points have been substantially overcome. The team has reached large segments of the Princeton community, has a strong collaborative relationship with Computing Support and other influencers, and has gotten many in the University community to accept the notion of mandatory training. Today’s challenges are to expand mandatory training, provide additional advanced training modules online and report metrics.
To learn more about how Princeton improved its cybersecurity awareness, read the full case study “Transforming Princeton’s Security Culture Through Awareness” in the ISACA® Journal vol. 1, 2021.