Read NBlog, the NoticeBored blog
Click banner for site map
Awareness program business case

Download the PDF (requires Acrobat Reader)

Business case for an
Information Security Awareness Program

 

by Gary Hinson

 

Last updated in 2010

 

Download as a PDF Acrobat PDF

 

Contact us for the editable
MS Word version Word/Rich Text File

 

 

Introduction

We have published this paper as a straw man - a good starting point if you are planning to establish and cost -justify your own information security awareness program.  Naturally, it reflects the continuous rolling style of awareness program supported by NoticeBored but even if you do not intend to become a NoticeBored customer, you will find some useful ideas here to help structure your awareness program and hopefully to persuade your management to invest in it (though admittedly your program will not be so cost-effective without NoticeBored!).

Executive summary

This paper lays out the case for investing in an innovative continuous security awareness program.  By informing and motivating people, the program will create a strong security culture, improve security compliance and cut net costs.

The awareness program will address general employees, managers and IT people through three parallel streams of awareness material.  Fresh materials will be circulated every month, continuously promoting and reinforcing information security while covering a succession of important topics. 

The program will be managed by a dedicated Information Security Awareness Manager (ISAM) under the leadership of the Information Security Manager, and delivered with the assistance of other corporate functions as necessary.

Security awareness metrics will be used to manage and prove the cost-effectiveness of the program.  We are confident that the business benefits (resulting from increased compliance, improved control, reduced risks and reduced losses through security breaches) will substantially outweigh the program costs (primarily the ISAM’s salary). 

Contents (20 pages)

  1. Introduction - background, purpose/scope
  2. Awareness program overview - aims, overall structure, target audiences
  3. Awareness program content - topics, types of material & sources
  4. Security awareness methods - creative comms methods, intranet Security Zone, branding, orientation
  5. Program management - governance, ISAM, plan and metrics
  6. Cost benefit analysis - program costs, business benefits, conclusion, refs

With four appendices:

    (A) target audiences;

    (B) potential awareness topics;

    (C) program plan/GANTT chart;

    (D) communications methods.

 

Note: an earlier version of our business case paper contributed to ENISA’s Users’ Guide: How to Raise Information Security Awareness.  ENISA’s excellent paper expands considerably on the business case with helpful advice to SMEs on how to plan and establish security awareness programs - recommended reading.  A new version is currently in production.

Derivatives of this business case have proven effective in numerous organizations.  Do please let us know if it works for you, or you have any other suggestions to improve or extend the business case. 

HomeFreebies > Awareness business case >

Copyright © 2013  IsecT Ltd.