Goals of a Security Awareness Program
There can be many reasons an organization decides to implement a security awareness program. It may be a reaction to a cyberattack, a company mandate, or compliance with industry standards or laws. In order to develop an effective program, you must outline your goals and a pathway to achieving those goals.
First, define what security awareness means to your organization. Is it strictly computer or network security? Does it include physical security? No matter the driving factors or definition, the overall goal of a security awareness program is to educate a group of users on the importance of security awareness and their role in protecting data.
Programs with well-defined goals are likely to be more successful. Perhaps you would like to see a reduction in unlocked, unattended workstations. Maybe you want to see stronger passwords used to protect accounts. Or see an uptick in reported phishing attempts. In order to be able to measure the success of your program, take some baseline measurements: How many unlocked screens do you see today? What are your current password requirements? Do users report suspicious emails? Once a baseline is set, establish metrics for improvement: Fifty percent fewer unlocked screens, updated password policy and compliance by all users, and an increase in phishing reports by 50%.
The next step is to develop the pathway to achieve these goals. Delivering frequent, short reminders on security-related topics is an excellent way to keep security on the forefront of people’s minds. Focus on content that relates to your pre-defined goals: password security, physical security, and phishing. In addition to providing guidance, content should focus on why security awareness is needed and how important each and every user is to the success of data protection. After all, one successful phishing attempt or hacked password is enough to take a network down.
Other security awareness topics may include: social engineering, web surfing, access control, and proper use of hardware and software. In addition to bite-sized content, posters, department or company newsletter, and face-to-face meetings can also be effective in driving home security awareness points. A security awareness program should be customized to meet the challenges and culture of your organization.
Regardless of your organization’s specific goals and methodologies, well-defined goals, as well as upper-management endorsement, will be key to the success of your program.