« Mitigating Risks During Mergers and Acquisitions | Main | Who Should Security Executives Report to? »

June 24, 2008


Gary Hinson

Those are good questions and answers, but I'd like to add something.

1. Which risks to cover?
Personally, I prefer to cover as many relevant topics as reasonably possible rather than investing loads of time on just a few. As to how to choose which risks to cover, there are loads of potential awareness topics: we work with about 30 (see www.noticebored.com/html/topics.html) while Rebecca Herold lists about 60 in her book "Managing an information security and privacy awareness and training program" (highly recommended!). From those lists or your own, pick out things that are topical and relevant in your organization, for example issues that have led to recent incidents. You don't necessarily need to plan the entire sequence of topics right now, just the current (being delivered) and next one (in preparation) would be enough. That way you can respond to incidents and issues as they arise, and adapt the program to reflect experience.

2. Best value initiatives?
A managed, rolling/continuous security awareness program is a good start but to make it exceptional, factor in the need to address different audiences within your organization - for example, staff, managers and IT professionals. They have different awareness needs, so cater to that with targeted materials written in a style that meets their needs. [There's more at the NoticeBored.com site.]

3. How to test effectiveness?
That's a can-o-worms! In conjunction with your management, you need to figure out the targets for the awareness program and then derive the corresponding metrics. Actually measuring stuff is likely to involve things such as employee surveys and tests but with some creative thinking, you can probably come up with other measures (e.g. page views on information security's intranet web site, showing how each awareness topic stimulates interest in the corresponding awareness materials, policies etc.).

4. How to get management buy-in?
Two suggestions here: first, start working on management's level of security awareness. Talk to managers about their security issues. Find out about things such as policy exceptions, drivers such as compliance and risk management. Find friends in high places. Next, prepare a business case with a cost-benefit justification for the awareness program. Demonstrate that the multitude of benefits from enhanced security awareness will far outweight the costs of delivering the program, and work with those friends-in-high-places to persuade their peers. [There's a generic business case paper on our website too.]

Good luck!


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)