24th May 2022
2nd February 2021
Read part 1 here - Change management strategy as a success factor - Why a change management strategy helps with security awareness campaigns and a security strategy and what needs to be considered.
Using a fictitious example, we will show you how you can implement a change management strategy for security awareness.
The fictitious company "Secure AG" wants to improve its security, supplementing its technical measures by including training for its employees for them to behave securely. The company has 500 employees and a small security team that also looks after security awareness.
Since the current situation of the information security culture within the company is not entirely clear, the management decides to conduct a survey among the employees in advance. The Security Awareness Radar® from TreeSolution is used for this.
The survey checks the information security ABC: Awareness, Behavior, Culture. Strengths and weaknesses in the areas of awareness, behavior, and culture are measured. The measurements show in which departments the understanding of information security is greater and in which departments it needs to be improved with targeted measures.
Based on this knowledge, the security team now works with the communications and HR departments to develop a security awareness strategy with suitable campaigns. The campaigns serve to promote the security awareness of the employees, to support them in behaving securely and thereby also to make the company more secure. For the implementation they proceed according to the principles of change management.
The campaign measures are to be applied over two years. Afterwards, a survey should again determine how sustainably the change was accepted and implemented by the employees.
To keep this example more readable and concise, we focus on only one measure here: we look at the change management process related to phishing training.
The TreeSolution change management model of secure behavior serves as a template.
The model shows how the measures decided should be implemented so that anchoring of knowledge among employees is most effective. Depending on the stage of implementation, the measures must therefore be prepared differently. First, attention paid to the topic should be increased through information and awareness-raising. The right type of communication improves perception and attitudes towards the topic, while enhancing knowledge and understanding. Anchoring is achieved by consolidating skills.
Since change cannot take place overnight, the campaign will run over several months. During this time, the topics will be divided into the three steps of the model, 1) attention, 2) acceptance, and 3) anchoring with the appropriate preparation, communication, and training.
As a first step, a poster campaign will be used to draw employees' attention to the topic of phishing. There will be a brief description of what phishing is all about.
A second step involves raising awareness. An information email will be sent to all employees with additional information about phishing and how to protect oneself.
Understanding/knowledge: to increase acceptance of the topic, it must be understood and knowledge about it must be strengthened. This will be achieved with a mandatory phishing e-learning. This once again will give information about phishing, what it is about, how to recognize phishing, how to protect oneself and where to report suspicious emails. At the end of the course there will be a quiz to test what employees have learned.
Conviction (positive perception/attitude): A few weeks after the e-learning, an information e-mail will explain the advantages of recognizing phishing. For example, employees not only protect their employer, but also their private information. In addition, the new phishing reporting location and the ease of reporting an email will be communicated again.
Transfer (skills / abilities): The most important aspect is the detection of phishing messages. A phishing challenge will check how well employees can recognize such an email. For this purpose, the first step will be to send a series of phishing e-mails. Next, there will be a check on how many employees click on the link in the e-mail and enter their data compared with how many employees report the e-mail as phishing. Since this will be gamified and the emails will be tailored to the recipient's situation, the measure will have a high level of acceptance among users.
Confirmation: to encourage dialogue with employees on the topic, lunch-break webinars will also be organized, where the topic will be discussed in more depth, questions will be answered and interested parties will be able to exchange ideas.
In advance, the team thinks about what resistance it might face:
The types of resistance are recorded in a risk map according to risk and probability of occurrence.
To deal with such resistance in advance, proposals for solutions are developed.
All goals, milestones and sub-projects are recorded in a project plan. The project plan also contains the individual target groups of the measures, the timelines, the advantages of the changes, and details of the measures. The project plan is made available to all employees on the intranet. During the project, the status, successes, and challenges are continually communicated. The IT Service Desk is specially trained for questions and concerns.
To anchor the topic of phishing effectively in the teams and departments and to support the employees, security ambassadors are sought out to support the security department with communication and assistance. They can help employees in their departments with questions and set up their own information points where people can come during breaks, for example. In addition, employees can give feedback to the ambassadors and communicate their questions and uncertainties.
We recommend following the principles of change management listed in this blog series when planning security projects and security awareness measures. This enables you to identify many hurdles and challenges in advance and work out solutions. By working with those concerned, innovations are more readily accepted and possible fears can be addressed. A well-developed change management strategy supports all those involved in the change process until new tools, working methods or processes are properly anchored and adopted.