Business case for an Information Security Awareness Program
by Dr Gary Hinson PhD MBA CISSP
Last updated in July 2016
Download as a PDF
Contact us for the editable
MS Word version
We have published this paper as a straw man - a good starting point if you are planning to establish
and cost-justify your own information security awareness program. Naturally, it reflects the continuous rolling style of awareness program supported by NoticeBored but even if you do not
intend to become a NoticeBored customer, you will find some useful ideas here to help structure your awareness program and hopefully to persuade your management to invest in it (though
admittedly your program will not be so cost-effective without NoticeBored!).
This paper makes the case for investing in a continuous (rolling) security awareness program. By informing and motivating our people to think and act
more securely, the program will create a strong security culture, improve security compliance and cut costs.
The awareness program will address general employees, managers and specialists through three parallel streams of awareness material. Fresh materials
will be circulated every month, continuously promoting and reinforcing information security by covering a succession of important and interesting topics.
Note: an earlier version of this paper contributed to ENISA’s Users’ Guide: How to Raise Information Security Awareness. The business case has proven
effective in numerous organizations. Do please let us know if it works for you, or you have any other suggestions to improve or extend the business case -
particularly feedback from your managers. Do they like the paper? Does it make good business sense? Which bit caused the most interest or concern?