Implementing a Security Awareness Program

K. Rudolph, Native Intelligence, Inc.

Awareness as a Survival Technique

Awareness versus Training

IT Security Is a People Problem

Overnight Success Takes Time

Critical Success Factors

In-Place Information Security Policy

Senior-Level Management Support

Destination and Road Maps

Visibility and Audience Appeal

Obstacles and Opportunities

Gaining Management Support

Gaining Union Support

Overcoming Audience Resistance

Addressing the Diffusion of Responsibility


Awareness as Social Marketing

The Art of Motivation


Why Am I Important to Security?

What Do Security Incidents Look Like?

What Do I Do About Security?

Techniques and Principles

Start with a Bang—Make It Attention-Getting and Memorable

Appeal to the Target Audience

Address Personality and Learning Styles (Provide Options)

Keep It Simple—Awareness Is Not Training

Use Logos, Themes, and Images

Use Stories and Examples—Current and Credible

Use Failure

Involve the Audience—Buy-In Is Better Than Coercion

Be Surprising (The Unexpected Is Memorable)

Use Competition

Incorporate User Acknowledgment and Sign-Off

Use Analogies

Use Humor

Show Consequences

Take Advantage of Circumstances


Web-Based Courses (Lessons Learned)

In-Person Briefings (and Brown Bag Lunches)


Intranet and/or Internet


Awareness Coupons


Trinkets and Give-Always

Publications (Newsletters)

Screen Savers

Sign-On Screen Messages

Surveys and Suggestion Programs

Inspections and Audits

Get Handbook of Information Security: Threats, Vulnerabilities, Prevention, Detection, and Management, Volume 3 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.