ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Move From Good to Great With These 7 Tips for Your Awareness Program

Move From Good to Great With These 7 Tips for Your Awareness Program

Tom Pendergast, Ph.D.
| Published: 9/19/2016 3:06 PM | Permalink | Email this Post | Comments (0)

When I interact with our clients, the vast majority of them are either trying to get a brand-new awareness program off the ground or are looking for ways to improve a program that is pretty limited in scope. I bet this sounds familiar to many readers:  IT and information security teams are so busy fighting other battles that they often have little time left for dealing with their human problems in privacy and security. You will pass most audits with a program that is “good enough.” But what if your awareness program could be great?

I got a chance to think more about this the other day when one of our most advanced clients said that his chief information security officer (CISO) wanted to know what it would take for them to take their program from good to great. We had already been working with them on a program that included small units of training interspersed with monthly videos, and I knew that their program was completely voluntary. (Yes, I know!). Here are my ideas for revving up a program that was fun for employees and tightly aligned with known risk factors:

  1. Starting with your corporate risk assessment, make direct connections between the business risk and the behavioral risk that will be targeted with the awareness program. I would target no more than 10 risk factors.
  2. Identify multiple pieces of educational content for each identified behavioral risk. The content should be a mix of styles, e.g., conventional (but very short) web-based training, phishing simulation, videos, articles, tweets. Some of it should be safe and corporate, but most of it should be more fun—as game-like as possible. The higher priority the risk, the more frequent the communication; phishing, for example, should be addressed regularly.
  3. Create a fun but competitive environment in which employees can earn points for their security and privacy competence. Employees can earn points when they consume some content; they can earn points when they successfully avoid or report a fake phishing attempt; they can earn points for scores when they participate in a security or privacy game or by attending a security training. They can even earn points in a contest to design the best security or privacy poster.
  4. Assign point values to each piece of content, based on 2 factors:  riskiness and complexity. There should be more points for high-risk items and for complex items.
  5. Announce winners on a regular basis, and not just individual winners, but divisions or business units or whatever unit of people makes sense in your environment. Be very public in your announcements so everyone knows that people across the company are invested in information security.
  6. Get management involved in promoting it and, ideally, getting their teams fired up about participating.
  7. In my ideal world, I would want to deploy some form of user behavior analytics, not to spy on people, but to better identify the nonmalicious user actions that put information at risk, but I know that would not be approved by this client.

If you had the opportunity to take your program from good to great, what would you do?

Read Tom Pendergast’s recent Journal article:
How to Audit the Human Element and Assess Your Organization’s Security Risk,” ISACA Journal, volume 5, 2016.


There are no comments yet for this post.