Knowledge What Is Information Security Education? Effective Training Topics and Methods to Raise Employee Awareness

Information security measures consist of three elements: “technology,” “organization,” and “people.” Among these, measures targeting people are said to be the most difficult and also the most important.

According to a survey by JNSA (Japan Network Security Association, a nonprofit organization), many causes of information leaks are human errors stemming from employee carelessness and lack of knowledge such as loss or leaving items behind, incorrect operations, and management mistakes. Malicious attackers also frequently use “social engineering,” a technique that exploits not only system vulnerabilities but also psychological gaps and weaknesses in employees. The biggest hole in security measures lies in the awareness of each individual employee.

Reference: JNSA 2018 Survey Report on Information Security Incidents (Preliminary)(Japanese Only)
Reference: Survey of Overseas and Domestic Trends Concerning Major Issues in Personal Information Protection (Final Report) (December 2023)(Japanese Only)

Information security education is essential not only to protect the company from the risks of information leaks and cyberattacks, but also to protect the employees themselves. If an employee unintentionally becomes a party to an information leak, the psychological burden can be immense. Gaining correct knowledge through education creates an environment where employees can work with peace of mind, which in turn enhances the company’s overall resilience (capacity to recover, robustness).

What, specifically, should employees learn? Below are the fundamental knowledge areas that every employee, regardless of position or job type, should acquire.

Employees should understand the basic mechanisms and threats of malware such as computer viruses and ransomware: through which channels they infiltrate (email attachments, website browsing, etc.) and what kind of damage they cause (data theft, data encryption).

Reference: “What Is Malware (Viruses, etc.)?” | Cybersecurity for the Public(Japanese Only)

Targeted attack emails, typified by “Emotet,” impersonate business partners or internal staff and use clever wording to convince recipients to open attachments or click links. Using real examples of attack emails, employees learn specifically what to look for and how to spot suspicious points.

Employees should understand how dangerous it is to use passwords that are “short, simple, and reused.” Training should cover the importance of setting long, complex, and unique passwords for each service, as well as the effectiveness of multi-factor authentication (MFA).

Even on personal social media accounts, careless posts (for example, uploading photos that reveal the workplace environment) can lead to corporate confidential information being leaked or provide clues to attackers. Training should emphasize the importance of responsible information sharing with a clear awareness of the boundary between private life and work.

Employees should learn, with concrete examples of threats, about the risks of using personal PCs or smartphones for work without company approval (shadow IT), and the dangers of performing work over unencrypted public Wi-Fi offered in places like cafes.

It should be made clear that actions such as taking customer data when leaving the company or illegally copying confidential information while employed are not merely rule violations, but criminal acts that violate laws such as the Unfair Competition Prevention Act, and are subject to strict penalties.

Related article: What is Endpoint Security? Explaining its Importance in the Zero Trust Model and Best Practice at Overseas Offices
Related article: Complete Guide to Email Security Measures: A Thorough Explanation of the Latest Threats and Essential Countermeasures

The purpose of education is not to cram knowledge, but to drive behavioral change in employees. To achieve this, it is effective to combine various methods and implement them on an ongoing basis.

A traditional training format where instructors and participants meet face-to-face. By incorporating discussions using recent incident cases, this interactive communication style makes it easier to heighten participants’ sense of ownership and responsibility.

A format that uses online learning platforms. Its greatest advantage is the ability to provide all employees with education of consistent quality, without restrictions of time or place. Because learning histories and test results can be centrally managed, it also reduces the burden on training coordinators.

This highly practical method involves sending employees “training emails” that closely resemble real attack emails and testing whether they actually open attachments or click links. Employees can experience firsthand the real threat that “I could be deceived too,” and the organization can objectively measure and evaluate its overall response capability.

The following three points are critical for implementing effective education and embedding it into the organizational culture.

Information security education must not be treated as just an initiative of the IT department. The most effective way to change employee awareness is for top management to personally communicate to the entire company why security is important to the organization and position it as a management issue.

Providing the same training to all employees is not sufficiently effective. Layered education is essential—changing the messages and expected skill levels based on roles and responsibilities, such as basic training for new hires, management training for managers, and secure programming training for developers.

Security threats are constantly evolving, and knowledge learned once will fade over time. Beyond annual training, it is important to build a system that doesn’t allow time to forget by providing regular exposure to information—such as monthly mini-tests, periodic reminder emails, and sharing of incident alerts.

Because information security education does not directly generate visible profit, it tends to be viewed as a cost center and postponed. However, in today’s world, where a single major incident can jeopardize a company’s existence, raising employees’ security awareness is the most important and effective investment for business continuity.

Use this article as a reference to develop an educational plan that fits your company’s current situation and take the first step toward fostering a security-conscious culture across your organization.