Of the 108 Sub-Categories listed under the NIST Cyber Security Framework, at least five are dedicated to Cyber Security Awareness. These fall under the Function ‘Protect (PR)’, within the Category ‘Awareness and Training (AT)’. By way of definition:
The organisation’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.
Specifically, the five sub-categories include:
- PR.AT-1: All users are informed and trained
- PR.AT-2: Privileged users understand their roles and responsibilities
- PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
- PR.AT-4: Senior executives understand their roles and responsibilities
- PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities
Using a Simulation to Train on Cyber Incident Response Plans
For the same reason why fire evacuation procedures are tested, so should your cyber incident response plan. All key staff must understand the plan and practice it, often!
A large portion of a dealing with a Cyber Incident involves non-technical issues such as legal, communications, regulatory issues, etc. Accordingly, it should be more than just your IT team who are preparing for and partaking in a Cyber Incident Simulation.
The key outcome of a Cyber Incident Simulation, or tabletop exercise as it is often referred, is that your organisation will have greater confidence to prepare, respond and recover in a crisis. By conducting a simulation, you will:
- Establish your current state of readiness
- Gain a better understanding of the cyber risks you face
- Practice your decision making in a safe environment
- Identify areas for improvement
Actioning Cyber Security Awareness
We recommend that organisations deliver their cyber security awareness initiatives through training programmes. These can be delivered via numerous forms such as online, gamification, tabletop simulation, or seminars. You should also set targets for improvement and measure progress over time. The NIST Cyber Security Framework tiers are a good example of this.