December 22, 2012 Comments: -­‐ Security e-­‐learning for new joiners, risk based for other audience/subject. -­‐ Emergency response, evacuation, medical emergency, hazardous threats by mail. -­‐ Yes -­‐ for cleared personnel. No -­‐ for uncleared personnel. -­‐ No, but we have been successful with making security training a part of team meetings and online training. -­‐ Training plans are developed for each client. -­‐ Some, depending on job function, receive more than others or specifically designed training. -­‐ New employees have a section in new employee orientation that covers security. There is some mandatory training that is required which overlaps with security and is done annually or every other year: Privacy training; Respectful Workplace training. -­‐
Security Awareness Training is required annually of all employees through the company Learning and Development Center and an on-­‐line training portal. -­‐
Information Security once per year. Will be mandatory in 2013 (Information Security). -­‐
-­‐
We don’t have security specific training programs per se! We have two main courses that are strongly recommended. Basic security management learnings. -­‐
Training is encouraged by each business unit, but not (yet) mandatory. -­‐
Basic security orientation during the initial hiring phase. -­‐
Industrial security training is mandatory for all employees who hold a security clearance. Any other mandatory training is project-­‐ or client-­‐driven for specific projects or extreme-­‐risk countries. All other security training is available on our corporate security website for employees to take on their own if they desire. -­‐
For the entire corporation, it is based on what the training is and who the audience will be. -­‐
Anti-­‐fraud awareness. -­‐
At orientation. Those with clearances require annual refresher training. -­‐
Security is introduced at new hire orientation only. -­‐
A portion. All new employees receive basic training about emergency calls, and their role in the process of making a secure facility. Other security training is optional, but highly recommended. -­‐
Depends on the organization and role employees are in. Some training is regulatory required. Comments: -­‐ Generally it is done in house, but outside consultants or trainers are used selectively. -­‐ Security training is provided by a member of the Protective Services team. -­‐ Another department is responsible for the mandatory training mentioned above. But we do sponsor some awareness training in our department. -­‐ We have identified a preferred provider. -­‐ I provide the training myself. -­‐ Our security training is via an online program, and we do influence the selection of the content/programming partner. -­‐ Security training is provided by in house staff, and through web learning. -­‐ Internal security influences and requests certain training to be conducted. -­‐
We do our training internally so there is no choosing any third party to provide said training. How many hours/days of security training do new employees receive? None (3 responses) 5 minutes (1 response) 15 minutes (2 responses) 20 minutes (1 response) 30 minutes (8 responses) 45 minutes (5 responses) 60 minutes (25 responses) 90 minutes (5 responses) 120 minutes (12 responses) 150 minutes (1 response) 240 minutes (3 responses) 360 minutes (1 response) Range = (0, 120 minutes) Median = 60 minutes Mode = 60 minutes Mean = 77 minutes Upper Quartile = 120 minutes Lower Quartile = 45 minutes Comments: -­‐
-­‐
New Hire Orientation 45 minutes. All employees do go through a 30 minute security safety awareness training upon hire. -­‐
Depending on their position, 1-­‐2 hours. -­‐
1 hour-­‐ cleared employees. 0-­‐ uncleared employees. -­‐
1 hour for new employee orientation, but there is additional training depending on roles and responsibilities. -­‐
New employees receive 1 hour of security training during New Employee Orientation. -­‐
Varies depending on role -­‐ minimum 1 hour. -­‐
45 minute on-­‐line interactive training module, supplemented with classroom training when job applicable. -­‐
Training is provided in a layered manner with the Security Awareness Training provided to all employees and other additional training provided depending on the position held. -­‐
2 hours of training. There is a new employee orientation process which includes security. I view this more as awareness than training. -­‐
Depends on country/business unit. -­‐
New Hire Orientation = 0.5 hour Ongoing Community Watch = Monthly messaging. -­‐
1 hour combination of new employee orientation and online training / testing. -­‐
Minimum 2 hours depending on position. -­‐
Part of larger orientation (approximately 1 hour). -­‐
It depends on the level of responsibility. Line workers: 1-­‐2; supervisors: 2-­‐4; program managers: 2-­‐8; security coordinators (additional duty): 3 days. -­‐
Depending on their position. E.g. new secretaries and receptionists receive a 4 hour training. -­‐
About 2.5 hours; more if they are traveling to areas of high safety & security risks. -­‐
If assigned as a corporate staff employee, new hires receive a 30 minute briefing on our local emergency response plan, facility security specifics, and protection of company confidential data. If assigned to a high threat country, premobilization training takes 3 days, followed by additional training once in the country of assignment. -­‐
All new hire employees and contractors go through an hour of security training at almost every plant and office. New guards have minimum of 3-­‐days of training. -­‐
One hour, but If they are working on classified information, another hour. -­‐
Roughly 1 hour. We also publish monthly advisories, updates etc for all employees. -­‐
45 minutes during general new employee orientation. -­‐
1 hour -­‐ brief onboarding at corporate office with, currently, no requirements for the same at other offices although HR likely does provide some type of security-­‐related onboarding relative to the facility. -­‐
About a half hour at New Employee Orientation. About an hour in their departments, but that covers a wide range of emergency response, not just security. (severe weather, utility failure, etc). -­‐
Varies and depends on the function of the individual employee. -­‐
Two hours per year mandatory, we provide options for self service training via the intra-­‐
net. -­‐
Depends on the topic, some are mandatory. How many mandatory security training hours/days do employees receive annually? None (20 responses) 15 minutes (1 response) 20 minutes (1 response) 30 minutes (3 responses) 60 minutes (15 responses) 90 minutes (1 response) 120 minutes (10 responses) 150 minutes (3 responses) 180 minutes (2 responses) 240 minutes (8 responses) 720 minutes (1 response) Range = (0, 720 minutes) Median = 60 minutes Mode = 0 minutes (none) Mean = 39 minutes Upper Quartile = 135 minutes Lower Quartile = 0 minutes (none) Comments: -­‐ Town hall type trainings twice annually on security related topics-­‐total 2 hours. -­‐ It varies department to department. We offer our services and have training available. Nothing is mandated. -­‐ Depending on position, 1 -­‐ 4 hours. -­‐
1 -­‐ 2 for cleared employees. 0 -­‐ uncleared employees. -­‐
1 hour for new employee orientation, but there is additional training depending on roles and responsibilities. -­‐
No mandatory annual security training. -­‐
2 – 4. -­‐
1 is the minimum depending on posting location. -­‐
Varies depending on job (i.e. mailroom and suspicious package handling, expense services and fraud detection, etc.). -­‐
If you include privacy, 1 hour. -­‐
Varies by job and location. -­‐
Depends on country/business unit. -­‐
Completion of an online program, generally less than 1 hour to complete. -­‐
Ongoing web based. -­‐
None -­‐ program is voluntary for now. -­‐
Less than one hour. -­‐
1-­‐8 depending on position. -­‐
Depending on their position. -­‐
About 2.5 hours for normal staff. -­‐
One (1) hour or less. -­‐
Industrial security training 3 hours per year mandatory, but other training sessions can be taken on-­‐line. -­‐
Various depending on role. -­‐
Different from area to area but approximately 2 hrs. -­‐
Employees receive about 2-­‐3 hours per year of required training. -­‐
For nonsecurity employees, it is based on who the audience and what the topic is. -­‐
.5 to include fire drills. -­‐
One hour for all employees and an additional hour for employees with a security clearance. -­‐
One hour. Additionally, there are monthly advisories, updates posted for all employees. -­‐
3-­‐4. -­‐
At least 1 hour. -­‐
It depends on the role and job requirements. On average it's about 4 hours. -­‐
4 hours (1 per quarter). -­‐
Two to three hours on the topics of workplace violence. -­‐
30 minute module. -­‐
Depends on their role. How many separate mandatory training sessions per employee do you organize annually? -­‐ Zero (15 responses) Ø None, training is not mandatory and is part of the performance review Ø None mandatory; offer training for departments routinely, -­‐ 1 (12 responses) Ø At least one per employee-­‐-­‐most is on-­‐line now Ø One on acknowledgement of Business Conduct Guidelines -­‐ 1-­‐2 (1 response) Ø Nonsecurity employees 1 -­‐ 2 based on what is occurring or pushed out. -­‐ 2 (9 responses) -­‐ 2-­‐3 (2 responses) -­‐ 2-­‐4 (1 response) -­‐ 3 (4 responses) -­‐ 4 (4 responses) Ø Quarterly for Industrial security training. -­‐ 5 (1 response) -­‐ 5-­‐6 (1 response) -­‐ 12 (2 responses) -­‐ 26, every other week (1 response) -­‐ 32 (1 response) -­‐ 50 (1 response) -­‐ Several (1 response) -­‐
-­‐
-­‐
-­‐
Dozens (1 response) Varies by job function/location/business unit, etc. (10 responses). Ø Depending on position, 1 -­‐ 50 (these 50 would be informal "micro quizzes"). Ø 2-­‐3 for cleared employees. 0 -­‐ uncleared employees. Ø Depending on their position, but at least 5 trainings sessions a year are organized somewhere in our organization. Ø As many as four depending on job function. Ø Minimum one recurring training session annually per employee. Some employees receive more than one session depending on position and responsibilities (as many as three sessions annually). Unknown (2 responses) Not measured currently (1 response) -­‐
-­‐
-­‐
Ongoing online (3 responses) Ø in high risk locations -­‐ induction frontal training all employees 2 modules of e-­‐
Learning + quiz As per certain career milestones (1 response) Comments: -­‐
Not yet. -­‐
Conducted by the security department. -­‐
Use our internal KLG system to track. -­‐
Use contractor in combination with in-­‐house resources. -­‐
We have taken various programs such as the Security Awareness Training video from the Security Executive Council and then edited and customized it for our company. We have also done this with videos and training materials obtained from the Federal Government and the private sector Center for Personal protection. -­‐
Use web based training. -­‐
Mix of service providers and training developed in-­‐house. -­‐
Internal HR providing the platform for the e-­‐learning, local security coordinators and manager are conducting the frontal lectures. -­‐
Internal. How do you measure the effectiveness of security training (e.g. metrics, auditing systems)? -­‐
-­‐
Don’t measure/Not yet (16 responses) Metrics (10 responses) -­‐
Auditing systems (6 responses) -­‐
External audits (2 responses) -­‐
Tracking number of employees who took on line training/tracking attendance (5 responses) -­‐
Staff surveys/feedback (14 responses) -­‐
-­‐
Testing (9 responses) Ø We use post tests to validate that the training provided was clearly communicated and understood by the trainee. We are also working on a penetration testing program for our company. Ø Assessment testing requiring 90% pass. Ø Good question, not sure that we do... Having said that, we do have a test for comprehension, but it doesn’t seem like that is the intent of this question. Ø We require 100% completion of online training and 100% passing of online testing. After a reasonable and publicized time period, Network access is shut down for anyone who has not completed the training & testing. 100% compliance becomes almost immediate following the loss of network access. Ø Questioning newer employees to find what held and rate of error. Ø e-­‐learning tools monitor compliance, including quiz ensuring the critical points are known by the employees. Ø Generally not measured, however an occasional quiz is administered. Review after every session. Timing of evacuations. -­‐
Statistics on assaults, robberies, burglaries. -­‐
How incidents are handled. -­‐
We don't formally measure/document the effectiveness of some types of our training. We either ask questions on the spot and correct answers when wrong, or conduct scenario-­‐based exercises and evaluate actions/make corrections on the spot. -­‐
Incident report statistical analysis. -­‐
-­‐
-­‐
Part of our KPI. Attendance vs. staff count per division; reported incidents year over year. -­‐
Behavior / incident reporting. -­‐
Evaluation and monitoring by public law enforcement officers. -­‐
All our trainings are standardized globally by the UN Security Management System. -­‐
It's a check off item for regulatory compliance. -­‐
We have built-­‐in knowledge checks throughout the training at the completion of each module. -­‐
Difficult to measure, but we track security violations, loss of IT equipment, internal theft of property, project related hostile action casualties and try to correlate these to our security training requirements. -­‐
Knowing what to do in times of emergency. Impactful vs time is our goal. Simple messages in 1s and 2s that are easy to remember. -­‐
Site security assessments. -­‐
Annual government inspections, red team. -­‐
Inspections. -­‐
Incident and alarm metrics Comments: -­‐ No, not at this time. We often spend excessive time on measurement which could be used for effective education/learning. -­‐ Always interested in improving processes. -­‐ Always opportunity for improvement as to ROI. -­‐ Security staff received a lot more training then general population. Finding a better measurement would be useful. -­‐ Generally this is accomplished through a survey of the training that was conducted. -­‐ Specialized training is provided to select groups, based on risk. -­‐ Our internal management performance assessment routine will provide the appropriate feedback and corrective actions. -­‐
There's always a concern that compliance does not necessarily equal learning and proper behavior. -­‐
When training is provided, the benefits are prevalent for a few weeks, then quickly become forgotten. -­‐
Yes, metrics are very difficult to establish and track as much of what we do is prevention i.e. when an event does not occur (success on our part) because of our security measures / procedures, there is no metric to measure a non-­‐event. -­‐
The problem we have is there is too much resistance to the training and additional measures. -­‐
Efforts to correlate training and incident reduction are fraught with challenges; too many variables. -­‐
Would be nice, but not sure how to measure for effectiveness. Much of the training benefits staff because they feel more confident. Comments: -­‐ New hire orientation. -­‐ Webinars. -­‐ Guest speakers. -­‐ Training content on security intranet; periodic security awareness messages sent by email to all employees. -­‐ Group presentations. -­‐ One-­‐on-­‐one security onboarding for new corporate staff, performed by a member of global security staff. -­‐ Electronic messaging on video boards throughout the enterprise. Comments: -­‐ None (4 responses) Ø N/A -­‐ unfortunately, do not have a mechanism for tracking whether all new corporate hires have received security onboarding at this time. -­‐ Security personnel have monthly training. -­‐ Periodic lunch and learn security awareness/training sessions. -­‐ We audit for training completion. -­‐ Quiz at the end of computer based training. -­‐ CBT training and testing with participation reporting.