Implementing a Security Awareness Program

K. Rudolph, Native Intelligence, Inc.

Awareness as a Survival Technique

Awareness versus Training

IT Security Is a People Problem

Overnight Success Takes Time

Critical Success Factors

In-Place Information Security Policy

Senior-Level Management Support

Destination and Road Maps

Visibility and Audience Appeal

Obstacles and Opportunities

Gaining Management Support

Gaining Union Support

Overcoming Audience Resistance

Addressing the Diffusion of Responsibility

Approach

Awareness as Social Marketing

The Art of Motivation

Content

Why Am I Important to Security?

What Do Security Incidents Look Like?

What Do I Do About Security?

Techniques and Principles

Start with a Bang—Make It Attention-Getting and Memorable

Appeal to the Target Audience

Address Personality and Learning Styles (Provide Options)

Keep It Simple—Awareness Is Not Training

Use Logos, Themes, and Images

Use Stories and Examples—Current and Credible

Use Failure

Involve the Audience—Buy-In Is Better Than Coercion

Be Surprising (The Unexpected Is Memorable)

Use Competition

Incorporate User Acknowledgment and Sign-Off

Use Analogies

Use Humor

Show Consequences

Take Advantage of Circumstances

Tools

Web-Based Courses (Lessons Learned)

In-Person Briefings (and Brown Bag Lunches)

Contests

Intranet and/or Internet

Posters

Awareness Coupons

Videos

Trinkets and Give-Always

Publications (Newsletters)

Screen Savers

Sign-On Screen Messages

Surveys and Suggestion Programs

Inspections and Audits

Get Handbook of Information Security: Threats, Vulnerabilities, Prevention, Detection, and Management, Volume 3 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.