Business case for an
Information Security Awareness Program
by Gary Hinson
Last updated in 2010
Download as a PDF
Contact us for the editable
MS Word version
We have published this paper as a straw man - a good starting point if you are planning to establish and cost
-justify your own information security awareness program. Naturally, it reflects the continuous rolling style of awareness program supported by NoticeBored but even if you do not intend to become a NoticeBored
customer, you will find some useful ideas here to help structure your awareness program and hopefully to persuade your management to invest in it (though admittedly your program will not be so cost-effective
This paper lays out the case for investing in an innovative continuous security awareness program. By
informing and motivating people, the program will create a strong security culture, improve security compliance and cut net costs.
The awareness program will address general employees, managers and IT people through three parallel
streams of awareness material. Fresh materials will be circulated every month, continuously promoting and reinforcing information security while covering a succession of important topics.
The program will be managed by a dedicated Information Security Awareness Manager (ISAM) under the leadership of the Information Security Manager, and delivered with the assistance of other corporate
functions as necessary.
Security awareness metrics will be used to manage and prove the cost-effectiveness of the program. We are confident that the business benefits (resulting from increased compliance, improved control, reduced
risks and reduced losses through security breaches) will substantially outweigh the program costs (primarily the ISAM’s salary).
Contents (20 pages)
Introduction - background, purpose/scope
Awareness program overview - aims, overall structure, target audiences
Awareness program content - topics, types of material & sources
Security awareness methods - creative comms methods, intranet Security Zone, branding, orientation
Program management - governance, ISAM, plan and metrics
Cost benefit analysis - program costs, business benefits, conclusion, refs
With four appendices:
(A) target audiences;
(B) potential awareness topics;
(C) program plan/GANTT chart;
(D) communications methods.
Note: an earlier version of our business case paper contributed to ENISA’s Users’ Guide: How to Raise Information Security Awareness. ENISA’s excellent paper expands considerably on the business case with
helpful advice to SMEs on how to plan and establish security awareness programs - recommended reading. A new version is currently in production.
Derivatives of this business case have proven effective in numerous organizations. Do please let us know if
it works for you, or you have any other suggestions to improve or extend the business case.