Problem solve Get help with specific problems with your technologies, process and projects.

Security awareness program

I'm a project manager for implementing information security in my company. I would like to put together an awareness program. Do you have any examples in the form of a framework or approach, with specific steps and areas to cover that I can follow?

There's no short answer to building an effective awareness program, but when I build them I start by addressing the following ten challenges:

A genuine belief in the importance of employee awareness.
  • To keep management happy
  • To avoid legal risks
  • To meet regulatory requirements

  • To strengthen security defenses
  • To reinforce policy awareness
  • To target and change specific behavior

  • Needs the complete support of management
  • Needs the necessary budget
  • Must include management-backed consequences for failure

  • You must understand how much they know and how well they can learn.
  • They must be convinced and committed.
  • How will the audience access the program: how many countries/languages; access to PC, high speed connection, video.
  • What is their attention span/time availability?
  • Will there be any follow up?

    Delivery System
  • Paper -- manuals, newsletters
  • E-mail -- daily, weekly or monthly reminders
  • Web is best, but do they have easy access?
  • Frequency

  • Focus on changing attitudes and behavior before demanding compliance.
  • Choose the most important messages.
  • Divide them into short lessons, typically 10-16 in total.
  • Deliver the lessons in short bursts.
  • 20 minutes max for effective retention.
  • Use a variety of formats: text, Flash, video, audio, PowerPoint.

  • Use testing to measure retention and effectiveness.
  • Use testing to measure compliance and participation.
  • Use testing to identify knowledge gaps and security weaknesses.
  • Using testing to sell to management.

  • There must be some...
  • For failing to participate.
  • For failing to complete.
  • For failing to comply.
  • That?s why management support is essential.

  • All employees and managers must participate.
  • Participation should be rewarded ? certification and prizes.

  • Response must be encouraged and measured.
  • Feedback must be encouraged and simple.
  • Feedback must be fed back, to fix gaps and improve the impact.

    For more information on this topic, visit these other SearchSecurity.com resources:
    Best Web Links: Security Management

  • This was last published in January 2002

    Dig Deeper on Security Awareness Training and Internal Threats-Information

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.