Basic Principles of Security Awareness. Security experts consider system users the weakest link in information security. User skill levels and experience can greatly vary, and unlike automated controls, human users can be subject to fatigue, or be distracted, which can lead to mistakes resulting in vulnerabilities. Security awareness training is often a user’s first experience with information security. Most employees want to do a good job and do the right thing, but dependent on their skill level, they might not be aware how to practice good information security. Awareness training provides employees the following:
- Basic principles of information security
- Awareness of information security threats and risks
- How to recognize and react to unexpected risks and security events
- How to report suspicious activity
- Builds a security culture throughout the organization
Techniques to keep security awareness fresh in user minds include:
- Ensure executive and management support. When top executives and management provide noticeable vocal support, it provides a sense of the importance of information security organization-wide.
- Use awareness aids such as posters, newsletters, email tips, blogs, and other reminders. People are different and learn in different ways. Using different types of aids helps ensure that the message gets through to employees in many different areas of the organization.
- Focus on changing behaviors. The goal is to create a culture of security. One way of doing this is relating awareness to employee’s personal life, family, and home. This allows employees to share security materials and information outside of work with family and friends making information security a part of their personal life as well. Make awareness engaging or interactive. This can often be fun for employees.
- Solicit ideas and feedback. Ask employees how security awareness can be improved. This gets employees directly involved in security programs.
- Measure success and growth. Track training completion. Get feedback on what employees like about training and what could use improvement.
Johnson, R. (2015). Security Policies and Implementation Issues (2nd ed.). Burlington, MA: Jones & Bartlett Learning.
Lohrmann, D. (2014, March 09). Ten Recommendations for Security Awareness Programs. Retrieved September 20, 2017, from http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Ten-Recommendations-for-Security-Awareness-Programs.html.