Ask the Expert

Security awareness program

I'm a project manager for implementing information security in my company. I would like to put together an awareness program. Do you have any examples in the form of a framework or approach, with specific steps and areas to cover that I can follow?


Requires Free Membership to View

There's no short answer to building an effective awareness program, but when I build them I start by addressing the following ten challenges:

Reasons
A genuine belief in the importance of employee awareness.
  • To keep management happy
  • To avoid legal risks
  • To meet regulatory requirements

    Goals
  • To strengthen security defenses
  • To reinforce policy awareness
  • To target and change specific behavior

    Commitment
  • Needs the complete support of management
  • Needs the necessary budget
  • Must include management-backed consequences for failure

    Audience
  • You must understand how much they know and how well they can learn.
  • They must be convinced and committed.
  • How will the audience access the program: how many countries/languages; access to PC, high speed connection, video.
  • What is their attention span/time availability?
  • Will there be any follow up?

    Delivery System
  • Paper -- manuals, newsletters
  • E-mail -- daily, weekly or monthly reminders
  • Web is best, but do they have easy access?
  • Frequency

    Content
  • Focus on changing attitudes and behavior before demanding compliance.
  • Choose the most important messages.
  • Divide them into short lessons, typically 10-16 in total.
  • Deliver the lessons in short bursts.
  • 20 minutes max for effective retention.
  • Use a variety of formats: text, Flash, video, audio, PowerPoint.

    Measurement
  • Use testing to measure retention and effectiveness.
  • Use testing to measure compliance and participation.
  • Use testing to identify knowledge gaps and security weaknesses.
  • Using testing to sell to management.

    Consequences
  • There must be some...
  • For failing to participate.
  • For failing to complete.
  • For failing to comply.
  • That?s why management support is essential.

    Participation
  • All employees and managers must participate.
  • Participation should be rewarded ? certification and prizes.

    Response
  • Response must be encouraged and measured.
  • Feedback must be encouraged and simple.
  • Feedback must be fed back, to fix gaps and improve the impact.


    For more information on this topic, visit these other SearchSecurity.com resources:
    Best Web Links: Security Management

    This was first published in January 2002

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: