Security awareness program

I'm a project manager for implementing information security in my company. I would like to put together an awareness program. Do you have any examples in the form of a framework or approach, with specific steps and areas to cover that I can follow?

There's no short answer to building an effective awareness program, but when I build them I start by addressing the following ten challenges:

A genuine belief in the importance of employee awareness.
  • To keep management happy
  • To avoid legal risks
  • To meet regulatory requirements

  • To strengthen security defenses
  • To reinforce policy awareness
  • To target and change specific behavior

  • Needs the complete support of management
  • Needs the necessary budget
  • Must include management-backed consequences for failure

  • You must understand how much they know and how well they can learn.
  • They must be convinced and committed.
  • How will the audience access the program: how many countries/languages; access to PC, high speed connection, video.
  • What is their attention span/time availability?
  • Will there be any follow up?

    Delivery System
  • Paper -- manuals, newsletters
  • E-mail -- daily, weekly or monthly reminders
  • Web is best, but do they have easy access?
  • Frequency

  • Focus on changing attitudes and behavior before demanding compliance.
  • Choose the most important messages.
  • Divide them into short lessons, typically 10-16 in total.
  • Deliver the lessons in short bursts.
  • 20 minutes max for effective retention.
  • Use a variety of formats: text, Flash, video, audio, PowerPoint.

  • Use testing to measure retention and effectiveness.
  • Use testing to measure compliance and participation.
  • Use testing to identify knowledge gaps and security weaknesses.
  • Using testing to sell to management.

  • There must be some...
  • For failing to participate.
  • For failing to complete.
  • For failing to comply.
  • That?s why management support is essential.

  • All employees and managers must participate.
  • Participation should be rewarded ? certification and prizes.

  • Response must be encouraged and measured.
  • Feedback must be encouraged and simple.
  • Feedback must be fed back, to fix gaps and improve the impact.

    For more information on this topic, visit these other SearchSecurity.com resources:
    Best Web Links: Security Management

  • This was first published in January 2002

    Dig deeper on Security Awareness Training and Internal Threats-Information



    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.



    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: