Re-reading ENISA's excellent how-to guide on security awareness has spurred me into getting ready to update our Information Security 101 awareness module.
The guide is strong on the purpose and objectives for security awareness:
"An information security awareness programme will:
- Provide a focal point and a driving force for a range of awareness, training and educational activities related to information security, some of which might already be in place, but perhaps need to be better coordinated and more effective.
- Communicate important recommended guidelines or practices required to secure information resources.
- Provide general and specific information about information security risks and controls to people who need to know.
- Make individuals aware of their responsibilities in relation to information security.
- Motivate individuals to adopt recommended guidelines or practices.
- Create a stronger culture of security, one with a broad understanding and commitment to information security.
- Help enhance the consistency and effectiveness of existing information security controls and potentially stimulate the adoption of cost-effective controls.
- Help minimise the number and extent of information security breaches, thus reducing costs directly (e.g. data damaged by viruses) and indirectly (e.g. reduced need to investigate and resolve breaches); these are the main financial benefits of the programme."
ENISA's structured process, laid out in detail over its 140 pages (!) resembles a project plan for a one-off project:
The ENISA guide is a bit ambiguous about the duration of the awareness programme, for example the activity "C-070 Re-Launch the Programme" clearly implies that the programme has stopped, but elsewhere it mentions the need for a continuous approach to security awareness. A one-off project plan may not be an ideal model for a continuous/ongoing/indefinite effort, but I guess it's a familiar starting point for most of those using the guide.
In a couple of places, the guide uses graphical images to illustrate the progression of the awareness audience from a basic level of security awareness and knowledge, through understanding and commitment to change, to behaving more securely - not unlike our ladder diagram. Understanding this concept differentiates the old-skool approach to awareness (basically, throw a bunch of policies at the users and tell them to comply - treating the audience as mere receptacles for Important Security Stuff) from more modern and effective cultural-change approaches (engaging, motivating and persuading the audience, providing interesting content on a range of relevant business-related security topics, and interacting with them as sentient beings).
One more thing I particularly like about the ENISA advice is that it emphasizes the use of metrics to measure and drive systematic improvements in the awareness programme. "The effectiveness of an awareness programme and its ability to improve information security can be measured. The need for security awareness is widely recognised, but not many public or private organisations have tried to quantify the value of awareness programmes." (page 70). I'm currently working on an article about awareness metrics using the PRAGMATIC method - more to come on that score. Perhaps I can turn those awareness progression graphs into an awareness metric ...