CHAPTER 49

IMPLEMENTING A SECURITY AWARENESS PROGRAM

K. Rudolph

49.1 INTRODUCTION

49.2 AWARENESS AS A SURVIVAL TECHNIQUE

49.2.1 Awareness versus Training

49.2.2 IT Security Is a People Problem

49.2.3 Overnight Success Takes Time

49.3 CRITICAL SUCCESS FACTORS

49.3.1 In-Place Information Security Policy

49.3.2 Senior-Level Management Support

49.3.3 Example

49.3.4 Budget

49.3.5 Security Staff Backing

49.3.6 Reward for Good Security Behaviors

49.3.7 Destination and Road Maps

49.3.8 Visibility and Audience Appeal

49.4 OBSTACLES AND OPPORTUNITIES

49.4.1 Gaining Management Support

49.4.2 Keep Management Informed

49.4.3 Speak Their Language

49.4.4 Gaining Union Support

49.4.5 Overcoming Audience Resistance

49.4.6 Addressing the Diffusion of Responsibility

49.5 APPROACH

49.5.1 Awareness as Social Marketing

49.5.2 Motivation

49.6 CONTENT

49.6.1 What Do Security Incidents Look Like?

49.6.2 What Do I Do about Security?

49.6.3 Basic Security Concepts

49.6.4 Technical Issues

49.6.5 Reporting

49.7 TECHNIQUES AND PRINCIPLES

49.7.1 Start with a Bang: Make It Attention Getting and Memorable

49.7.2 Appeal to the Target Audience

49.7.3 Address Personality and Learning Styles

49.7.4 Keep It Simple: Awareness Is Not Training

49.7.5 Use Logos, Themes, and Images

49.7.6 Use Stories and Examples: Current and Credible

49.7.7 Use Failure

49.7.8 Involve the Audience: Buy-In Is Better than Coercion

49.7.9 Make It Memorable

49.7.10 Use Competition

49.7.11 Incorporate User Acknowledgment and Sign-Off

49.7.12 ...

Get Computer Security Handbook, Fifth Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial