Security awareness and training can seem like a complex or intangible concept, until you begin to articulate why it is being implemented.

The objective of a security awareness program is to reduce risk to information and systems by raising the awareness of employees and other authorized users of your network.  What does this “reduction in risk” look like?

Let’s describe it in terms of the behavior of aware versus unaware employees:

An aware employee will never give her password to a phone caller, no matter the reason or request.
An unaware employee may reveal her password to a phone caller pretending to be an IT administrator.

An aware employee will report potential security issues. For example, perhaps the door to a secure area isn’t closing completely.
An unaware employee may shrug it off as someone else’s responsibility.

An aware employee will immediately call the help desk when his endpoint security software alerts him to malware.
An unaware employee will log off for the day and go home while the malware encrypts his files along with everything on the mapped drives.

An aware employee will remind other employees to remove employee ID badges when posing for photos.
An unaware employee will post the high-resolution photo everywhere, including public social media profiles.

An aware employee will encrypt her e-mail when transmitting sensitive data.
An unaware employee will send sensitive data over unencrypted e-mail, save it on his personal USB drive, or upload it to his personal cloud storage solution.

An aware employee will scrutinize e-mails and refuse to take the requested actions if suspicious.
An unaware employee will reveal passwords to fake websites, send W-2s to “the CEO,” and open attachments harboring malware.

An aware employee will call the help desk to confirm a vendor’s request for remote access to her machine.
An unaware employee will call “the certified technician” from the popup notification she received while surfing the web.

Perhaps most importantly, an aware employee will ASK when unsure if an action is risky or unsafe.

Articulate the desired outcomes of your security awareness program.  Show employees why awareness is critical.  A cognizant group of users serve as another line of defense in your organization; they provide an extra set of eyes and ears.  Conversely, each uninformed user has the potential to be detrimental to your security.

Which employees do you want in your organization?