Excellent security awareness programs satisfy the following seven design goals:
Information security is and should be perceived as everyone’s responsibility, hence the awareness program should reach everyone in the organization i.e. employees (staff and managers) in every location, business unit, function or department, plus contractors, consultants, temps and other third party employees working for the organization. Ideally, the awareness activities should start with a new employee induction or orientation module covering the basics of information security for newcomers. Most of all, the awareness program should be visibly supported and endorsed by management - which in turn implies that managers themselves need to be security-aware, and to understand the business value of security awareness. Involving managers in the formulation of security policies, rather than just presenting them as a fait accomplis, is one way to ensure that they have their say in molding information security to the organization's overall needs, not the other way around.
The program should cover a broad range of topics, elements and aspects such as: accountability and responsibility; auditing; authentication and identity management; bugs and other technical security vulnerabilities; business continuity including business impact analysis, resilience, disaster recovery, contingency and survivability; BYOD and portable computing; cloud computing; compliance and enforcement; cryptography; databases; email, Skype, instant messaging, Twitter etc.; ethics and trust; fraud; governance; hacking; human error and human factors; incident management and digital forensics; information protection; insider threats; IPR; knowledge and other intangible information; malware; network and Internet security; office security; oversight; privacy; physical security; risk management; SCADA/ICS and embedded systems security; security design; secure software development and acquisition; social engineering; surveillance; third parties; and trade secrets. The sheer number of relevant subjects makes it impossible to do justice to them all in a single annual awareness event. In my experience, covering a different topic every month strikes the right balance between breadth and depth of coverage (and, on a personal note, it fits my own attention span! After a month on any one topic, I need to move on).
3) Currency and topicalityWhile some of the topics listed in the previous point are relatively static, others are evolving rapidly and every so often something truly novel appears on the security horizon. An awareness program that is only updated infrequently or sporadically is likely to be a stale as old socks, hardly a recipe for success! What's more, if it fails to keep up with changes in the security landscape, as well as changes in the business and regulatory environment, there is a distinct risk that employees will be woefully unprepared for new threats. Learning from others' security failures sure beats the indignity of becoming a competitor's case study, or being pilloried in the press! This is another justification for a relatively rapid turnover of topics. Old news is an oxymoron.
The emphasis on motivation takes awareness beyond merely presenting information and hoping that people pay attention: it means the awareness and training materials must be relevant, topical, pragmatic and useful. The program has to engage with its audiences, and persuade them to respond by changing their ways. Rather than simply chastising workers for not complying with their security obligations, for example, management should reward and encourage those who do the right thing. Being crystal clear about the true purpose of security awareness makes a huge difference: remember that 'security awareness' is merely an interim objective, not the ultimate goal. Its true purpose is to make people behave more securely and drop risky behaviors, thereby reducing the number and severity and hence costs of information security incidents.
5) Satisfy audience needs
The program should take account of the range of information security interests and competences within the organization. For example, most employees will not understand the technical content that IT professionals need. Basic awareness materials may be suitable for junior employees whereas experienced colleagues are likely to appreciate more advanced materials. Governance, risk management and compliance matters are of greater concern to management than to staff. This implies the need to recognize distinct target audiences and provide suitable awareness materials specifically for each of them. One size definitely does not fit all!
6) CreativityCreative expression can breath life into an otherwise drab, monotonous and frankly ineffective awareness program. Variety is the key here. Limiting the awareness program to one format, mode or style of delivery cuts out those who, for whatever reason, don't appreciate that particular approach. Some people, for instance, respond better to pictures than to words. Some prefer to be told stuff, others like to be shown, others need to find out for themselves. Canned online/electronic delivery has little to no impact on those who learn best by considering, discussing and even arguing about the topic. Bright sparks catch on to new content quickly, whereas others need more time and perhaps quiet reflection or repetition. Cartoons and games catch some people's imagination, while coming across as childish and condescending to others (we're talking about adult education, don't forget). A relatively dry, formal style suits some but not all materials, topics and recipients. There is room to be contentious and challenging (within reason) and sometimes raising but not directly answering rhetorical questions can do wonders: an audience that discusses a security challenge and figures out its own response is more likely to internalize and follow-through on the response than one that is flatly instructed on what to do.
The awareness program should, of course, be an asset with a net positive value to the organization. Suitable metrics should demonstrate the program’s costs and benefits, as well as facilitating continuous improvement of the program’s design and delivery processes. As it happens, security metrics also make a fascinating awareness subject! Neglecting this aspect is a recipe for budget cuts and lackluster management support. Recall that security awareness is not an end in itself, therefore it doesn't automatically justify its own existence. From our perspective as suppliers, the low cost of our security awareness products works against us: managers who don't appreciate the true benefits tend to dismiss them as trivial and hence optional expenses, whereas in reality security awareness is the oil that slips other information security control mechanisms into place and keeps them running sweetly. Putting that another way, without awareness, the investment in security technologies is sub-optimal if not entirely wasted. If you know of a purely technical solution to social engineering, for instance, the market is wide open.
What have I missed?