Security awareness

The components of a successful security awareness program

Dimitar Kostadinov
March 1, 2018 by
Dimitar Kostadinov

According to the European Network and Information Security Agency, "Awareness of the risks and available safeguards is the first line of defense for the security of information systems and networks."

The importance of security awareness programs is beyond question, but what makes a security awareness program successful? Presumably, this question may have as many answers as there are stars in the sky, and this article suggests several elements of such a program that have come into prominence over the years. Their origins are rooted in best practices, which is always a good indication of quality achieved through trial and error.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

1. Make it compliant with laws and regulations

Security awareness programs are required for PCI DSS compliance, HIPAA compliance, and complying with federal and state regulations (e.g., Texas Health Privacy Law/ Massachusetts Data Security Law), among other things. Unfortunately, because of that organizations often turn awareness programs into a check-the-box exercise (See "6. Diversify the Content and Methods").

Drafters of a security awareness program need to be familiar with the latest security training requirements. By way of illustration, the PCI DSS v3.2 (Payment Card Industry Data Security Standards) became mandatory, not best practices, on February 1, 2018.


How to Create a Compliant Security Awareness Program by Raju Woodward

As the President and CEO of Wombat Security, Joe Ferrara, said:

"Healthcare institutions are increasingly targeted by hackers, making it critical to deliver effective training to anyone who is not well-informed of HIPAA-mandated safeguards [.]"

2. Secure managerial buy-in for your program

It is to be noted that even though security awareness is often mandatory by law, it remains a core responsibility of top technology leaders, such as CISOs and HR managers, and they are accountable for its effectiveness.

Consequently, successfully enforcing a security awareness program will not happen without the active participation of the C-level executives. Top management will hold the reins on the entire security awareness process, from the initiation to the support and direction – this lies at the heart of the top-down approach. It is usually more reliable than the bottom-up approach since the people in charge of the most important matters within an organization are also fully responsible for the success of the program. Also, when senior leaders are so engaged in awareness and training events and are familiar with the organization's information security policies, that sends a positive message to everybody else.

Creating reliable communication channels – Upper management, again having a primary role, should take responsibility for communicating the program to all employees. Although such communication can take many forms, it is important always to remain clear, relevant, regular, interesting, and interactive.

3. Help from other departments

To obtain maximum support, the implementation of the security awareness program should be facilitated by key departments (human resource, legal, marketing, physical security, etc.), other than the IT one. For example, the legal department will ensure that the program is in accord with compliance requirements. Additional support in the form of funding and distribution is always welcome, as it will fortify the foundations laid by the upper management.

Perhaps an awareness program should adopt the more department-specific approach. In most situations, a mixture of baseline best practices and department-specific code of conduct is the way to go.

4. Cover the basics

Physical Security – It is about the physical access to the IT systems and organization's facilities. Wearing badges and a sign-in procedure at the front desk, for example, are ways to let in only legitimate persons.

Password Security – Firstly, default passwords must not to be used. Secondly, each password should be at least 8 characters long and contain different upper and lowercase letters, numbers, and symbols.

Anti-Phishing – Staffers need to be suspicious of emails that evoke a sense of urgency. Unless they are coming from trusted sources, no attachments or clicking on suspicious links should be executed. There are some good phishing simulations that will put employees to the test. Using regular phishing simulations is, in fact, a good strategy for developing of a security culture at every level within the organization (See the last component), as workers are advised to contact the IT department or security person when they are in doubt.

Social Engineering – Crooks sometimes try to manipulate staff into divulging important company-related information. Security awareness program and training would address such situations, but people need to approach these requests with a healthy amount of skepticism. Keep in mind that the social engineering may include other tricks, such as a malware-laden USB stick planted in the proximity of offices, in high hopes that employees will find them and be imprudent enough to plug it into the system.

Internal phishing and social engineering campaigns are good "checks and balances" tools concerning staff robustness against cybersecurity fraud and manipulation. As John Ferrara described it: "[Phishing] can shock complacent staff into realizing how vulnerable to social engineering they really are."

5. Include a training procedure

At first, companies should differentiate between security awareness programs and security training. This Dark Reading article outlined the difference:

"Security training provides users with a finite set of knowledge and usually tests for short-term comprehension…. Security Awareness programs strive to change behaviors of individuals, which in turn strengthens the security culture. Awareness is a continual process. It is not a program to tell people to be afraid to check their e-mail. The discipline requires a distinct set of knowledge, skills, and abilities."

6. Diversify the content and methods

Given that the cyber attacks today may have multiple attack vectors, security awareness programs need also be as comprehensive as possible. There is no "one size fits all" security awareness program, and therefore employees may receive information through various awareness avenues: phishing simulations, newsfeeds, newsletters, blogs, games, etc.

Several studies, such as this 2013 white paper from Secure Mentem, reported that interactive materials are more likely to be effective in achieving results than PowerPoint slides or awareness videos. Also, the combination of in-person and online based, interactive sessions seems to deliver greater results. Implementing simulations and gaming techniques is an excellent way to engage users and prompt them to provide immediate feedback at the same time.

Practice shows that awareness efforts directed towards what employees should do are more successful; for instance, how to use social networks safely, instead of telling them what they should not do.

Consider specific content directed at people who are new to the organization (i.e., "Onboarding") or dedicated for situations in the wake of security incidents (i.e., "Post-Incident"), both of which will presumably be a bit different from the normal content (i.e., "Ongoing").

Also, you can use a more personal approach – that is, logically bind, if possible, cyber awareness patterns to activities from personal life, environment, or people. Numerous studies have reported that employees tend to be more responsive when they think that awareness materials can be used outside the office.

A good program should both make regular references to the latest cyberattacks to demonstrate its importance and educate everyone on latest cybersecurity trends. Awareness programs that focus on providing staffers with cybersecurity information promptly could successfully repel cyber-attacks, as evident by the attempted Syrian Electronic Army hacking against IDG Enterprises.

Use a checklist but also other methods – this is a routine procedure designed to provide for the systematic dissemination of the security awareness program throughout the organization. It can also be used in all other stages of the program's life cycle. Unfortunately, most awareness programs are nothing more than a mere check-the-box exercise or a long sequence of computer-based training videos.

7. Make it intriguing and at least a bit entertaining

Perhaps the biggest problem with security training is that they do not evoke enough interest and enthusiasm in employees, even though when the trainees know its importance. Security is a serious subject. Nevertheless, like every other serious subject, it could become boring after a while.

Fun stories are often tantamount to intriguing stories. In this regard, funny videos could create a good atmosphere and excitement at the office. Humour may be the missing ingredient in your program. Although it should be in the right amounts, just as adding the right amount of salt to a dish – more is too salty, and less can be not tasty enough. Intriguing content can really leave a lasting imprint on memory. So, why so serious?

8. Enforce, review, and repeat

In general, security awareness should be carried out in person. Choose the best time for training carefully (usually during slow days or downtime). Make sure that users are actively engaged in all aspects of what they are learning.

As an example, routinely testing employee preparedness through a phishing training program will keep everyone alert and reinforce awareness activities. Moreover, the immediate feedback also comes in the form of a given employee clicking on a link in a phishing email or downloading an attachment – a potential breach of security that you could address right away by teaching him how to avoid such threats in future. Do not hesitate to notify persons that lag behind regarding training and best practices. Accountability is important to the process, so keeping a slack rein could be detrimental to the overall security awareness policy.

According to Stephen King, hell "might be repetition"; however, security-wise "repetition" may have a redeeming effect. Most employees do not come across security risks daily, so they need a reminder of looming security threats from time to time.

A yearlong plan broken down into quarters will help you focus threat research and training development efforts on specific goals, as well as notice changes that may occur in between these periods. Various methods can help you track progress, with reports and metrics being most common. Metrics have an illustrative character as they are key attributes that identify whether learning objectives are met or not, and whether the managerial staff needs to make any adjustments to the program.

9. Reward hard work

When your people demonstrate due diligence concerning the application of the security awareness program, your normal response would be to show them somehow that they are on the right track. Sometimes a pat on the back would be enough, but sometimes it would not be.

An internal incentive-based system that rewards people who report potential security incidents, even in the context of phishing simulations, is a welcome addition to every security awareness program.

Rewards may include even leisure activities: dinner out, listening to music, watching TV, etc. You can also provide gift cards and call out the names of top performers during meetings.

10. Create a security culture

What good cutting age technological security measures are going to bring a company if its people have no security culture? No ultra-modern technologies can compensate for the lack of security culture within a company. According to E-commerce Times, IT administrators and other security professionals consider "end user carelessness" as the primary security threat to their company, surpassing even malware-based cyberattacks and advanced persistent threats (ITIC/KnowBe4 "2013 -- 2014 Security Deployment Trends Survey").

The security culture is the key. Provided that it is properly created and enforced, an awareness program can instill habits and behavior that drive security culture.

The optimum goal of a security awareness program is not only to improve practical implementation of best security practices but also broaden understanding of newest security threats and how to counteract them.

The security awareness program ensures that every person in the organization possesses a minimum level of know-how concerning security matters, which is also usually accompanied by an appropriate sense of responsibility.

Source: Cybersecurity Awareness Month kicks off year-long Army campaign by Ms. Erinn Burgess

If we consider the first two lines of defense to be security controls and detection, security awareness fortifies mostly the third one – the human factor. In this context, a proper security awareness program should educate people on how to use the other two lines of defense.

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.


Having a security awareness program is simply indispensable. By the reckoning of Maria Corolov of CSOOnline, "[t]he least effective training program still had a seven-fold return on investment, even taking into account the loss of productivity during the time the employees spent being in training. Moreover, the average-performing program resulted in a 37-fold return on investment [.]" Nevertheless, why settle for an inferior program? This article outlines several elements that everyone should consider when developing a security awareness program, and implementing most of them is not that difficult.

[Webinar] 10 Proven Security Awareness Tips to Implement Now


Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.