Security Basics - User Awareness

Written by: Tom Olzak, CISSP • Edited by: Bill Bunter
Updated May 31, 2010

User awareness is an essential part of information security. The existence of policies, standards, and guidelines must be known to the employees that handle your data and manage your infrastructure. This article explores the basics of user awareness training. (This article is updated content from the book, "Just Enough Security.")

Building an Awareness Program

User awareness is part of the administrative foundation of a secure information processing environment. It is through an effective awareness program that a desire to meet policy objectives becomes part of your organization's culture.

The first step in building an awareness program is to understand the differences in the way each area of the business perceives policies and objectives. One of the easiest ways to accomplish this is the creation of a cross-functional awareness team. The assimilation of different perspectives provides insights into the best way to design awareness materials.

An awareness message should be short and to the point. The content of the message, whether delivered electronically or by some hard copy method, should address personal as well as organizational concerns. This makes the message more meaningful to individual users. An example of this approach, the "Did you know..." format, is depicted in Figure 1.

In this example, the message includes information relevant to the users' use of the Internet in general. It warns them of the possible problems associated with not practicing care when responding to messages. It also uses a short reference to the existence of a company policy related to this issue. By making users aware of personal as well as business risk, there's a better chance they'll remember the awareness message you're delivering.

There are other ways to deliver awareness messages. Table tent cards in the company lunch room, voice mail announcements, and posters are just a few. Be creative. Continuous use of the same old delivery methods might result in employee disinterest. The creation of unique delivery methods may not always be necessary. Review the general training and awareness programs that exist in your organization today. These might include,

New employee training
Infrastructure training for new network engineers
Application training for specific system users
Operational training for system managers

Building awareness training into each of these processes is an effective way to build user awareness with tools and content appropriate for various audiences.

Measuring Results

User awareness is a continuous process. Like all processes, it's always valuable to understand the effectiveness of your approach. Clear measures of effectiveness help you adjust your awareness program to meet management security objectives. Some ways to gauge user awareness include on-line tests on your intranet, formal surveys, and informal staff meetings to discuss security issues.

Regardless of the method appropriate for your organization, don't skip this step. Make sure you're getting value for your awareness program dollars.

Tables and Figures (Hover for caption, click to enlarge)