The Topics module is used to determine which topics to train in order to reach your targets. There are a large numbers of different topics to train to succesfully create security culture, from technical areas, via passwords, policies and legalities, to how to discover social engineering attempts.
The Topics module lists topics that are relevant to create and maintain security culture so you can pick and choose those that are relevant to you and your organization.
To create value and results, it is important to align the right topics to the metrics, targets and goals you defined in the Metrics module.
Some topics may be more or less relevant to different target groups. Adjusting your topics selection to the different target groups you defined in the Organization module is always good.
One thing to note about topics is that it is highly unlikely, and usually not something you would want, to cover all topics in one year. Long-term results are created by carefully crafting a plan to build the security culture you want over the course of several years.
Some topics are relevant at different stages of an employee lifecycle. One example is introducing new employees to policies and regulations when they begin working. Another is during relocation, when it may make sense to train the employee in local security routines.
It makes sense to work closely with HR to create a functional security culture program.
Choosing the right topics
Many topics are easy to identify with matching activity, while some will demand tailoring. It is recommended to first define topic and then look for matching activates.
Some topics are clear based on goals, such as password, phishing, reporting with more. Others again, may be revealed while mapping the organization such as insider-lists for the financial department, personal act for the HR department and confidentiality for health workers.
To map down topics that builds up under goal and matches an organizational map is one method to get a good overview. The easiest one is those who targets the whole organization and builds up under the overall goals in the goal hierarchy. Those who only target segments of the organization demands mostly more work.
The easiest topics to define are the overall goals, and those who include the whole organization. Those topics that only has a part of the organizations as target group or a single employee is more resource demanding.
During the work with topics is it important to be aware the learning goals defined under the metrics module. In many cases adjustments of the learning goals or new one will turn up when topic choices is made. If an adjustment in the learning goals occurs as a result of this remember to anchor and reflect them in the overall goals for the training.
Topic examples can be:
• Company policy
• Social media
• Bring your own device (BYOD)
• The mobile work station
• How to report accidents or possible threats
• Secure login
• Social Engineering
• Safe behavior on internet
Activity examples can be:
A short session of learning. In most cases delivered as E-learning
Just – in – time training
Is feedback as a result of a specific action. Such as a pop-up window telling that an infected or no-secure attachment or link was opened.
Lectures with or without activities for the participant. E-learning is also considered as course.
Is an instrument that can be very cost-effective, and can also be fitted into the individuals’ time schedule
Small videos or sessions of knowledge, tips and advice sharing from other in the organization.
Posters and leaflets
Information and other message reinforcements of message handed out or placed on strategic places.
Tests of competence and learning
One way to measure, is by using tests, questionaries and interviews. Testing the competence is a great way to both measure, and also to enhance any message and training effort.
A great way to build competence and culture is to have peers evaluate each others. This can be done using tools, or face-to-face, and even in groups. Make sure to promote an environment where sharing, and caring, is important, and avoid negativity.