Traditional approach

NoticeBored

Inform staff through an annual, formal corporate communications session

Inform and motivate staff and managers through multiple formal and informal communications channels running in parallel year-round

Stick some corny eye-candy posters on staff noticeboards ... and leave them up indefinitely

Circulate fresh awareness information every month in a range of formats so there’s always something new and interesting to read and absorb

Get the go ahead, develop the awareness materials and eventually launch the awareness program with a bang ... but then quickly run out of steam

Launch the program today!  Quickly establish a high level of awareness and keep it rolling forward indefinitely, drawing on a stream of creative energy

Cover too many issues at once, mostly at a rather superficial level due to time constraints

Stick to a single, relevant information security topic each month, seizing the opportunity go into more depth as appropriate to each audience

Stick to the basics such as viruses and passwords

Cover over 40 topics from different perspectives, reflecting current security risks/incidents
and topical news stories

Broadcast management edicts and security instructions at staff

Encourage feedback and interaction from employees and engage them by treating them as sentient beings rather than merely passive recipients of information

Deliver a random assortment of sometimes contradictory messages

Through branding, integrate all the awareness materials into a coherent, consistent and instantly recognizable longitudinal campaign theme

Think of “raised security awareness”
as an end in itself

Understand that security awareness is merely a means to an end: the real goal is to create genuine behavioral and cultural changes to cut information security risks and reduce losses

Tell staff to comply with “the rules” for information security as defined by management “or else”

Help everyone (managers, staff and IT professionals) understand their respective security obligations; offer practical and relevant guidance in their own terms and familiar language

Try to sack those who break the rules, but run into trouble with the lawyers or unions because “the rules weren’t clear”

Ensure that everyone is aware of and understands their obligations; make people personally accountable for their actions

Send staff away on security training courses and awareness sessions with no follow-up support

Raise security awareness without interrupting normal work; encourage people to seek out further information (as much pull as push)

Be boring, tedious, generally ignored

Be creative, interesting, engaging, novel,
challenging, provocative and fun

Communicate either in a formal, stuffy and stilted style, or else a superficial, rather offhand style using childish cartoon graphics and weak jokes

Use a full range of formal and informal communications styles and methods to suit the various adult audiences and messages, maintaining a professional business-like approach throughout

Use IT Security Managers (if they have the time and competence) or technical authors (trained to write technical manuals in a technical style) to write information security materials

Draw on a stream of high quality security awareness materials written to a consistent ‘camera ready’ standard of quality by well-qualified and experienced professional security awareness specialists

Aim the security awareness materials squarely at “end users” (meaning IT users), more-or-less completely ignoring other audience groups

Engage people - all employees, not just computer users - through an inclusive program
giving appropriate information and guidance
meeting their information needs

Cover just the essentials - the bare minimum requirements only

Cover the basics thoroughly, adding topical information security, governance, information risk, compliance and related subjects, aligned overall with the ISO/IEC 27000-series information security management systems standards

 Blindly hope that awareness messages
will all sink-in and register

Measure the level of awareness objectively each month through awareness surveys and tests, and then use the data to improve the awareness program month-by-month

Promise quick results from the awareness program and disappoint management when things don’t suddenly improve in just a few short months

Anticipate a gradual but deep-rooted genuine cultural change taking around 18-36 months to bed-in; lead management and staff on the same journey.

Pick someone junior from Information Security or Training to design and run the program,
or “get someone in”

Draw on the professional expertise and energy of experienced information security awareness specialists without the overheads and costs of recruiting, employing and managing them

Run the program purely as an internal IT activity, making the best of limited
in-house skills and resources

Tap into the resources of IsecT, the wider NoticeBored community and other parts of the organization e.g. HR, Risk Management, Compliance and Legal