I work in the Information Security team at my workplace. We work in the insurance and healthcare industry and work frequently with customer credit card, financial, and private health data.
Today I was meeting with security management to plan for this year's annual security training curriculum. We are thinking about customizing the training modules for end users depending on their job role. As examples:
- Additional, and customized training modules for privileged users such as domain admins
- A training module for customized for non IT-IT employees working in customer facing-facing roles
- A separate training module for developers, perhaps with a heavier focus on defensive coding and software development vulnerabilities - e.g: SQL injection
As the security risk associated with an IT domain admin level user is obviously very different from a non - ITIT customer-facing employee, it seems customizing the security training to the specific needs of the type of employee is reasonable. What may be important and relevant to an IT employee may not be so to a customer service representative working in a call center, so it seems a one size fits all approach is just ineffective.
However, I can also see the downsides of a customized approach. An end user could possibly reason that because they were not provided a specific module, that training module is not meaningful or important. In other words, it is possible to encourage end user employees to be more lax in their security habits as they associate only what they see in training as important. We want to avoid this perception.
Is customizing corporate IT security training based on job roles and the differing inherent risks associated with those roles a good practice?
What are some possible downsides to such a customized approach, other than described above?
