User awareness is part of the administrative
foundation of a secure information processing environment. It is through an effective awareness program
that a desire to meet policy objectives becomes part of your organization's
culture.
The
first step in building an awareness program is to understand the differences in
the way each area of the business perceives policies and objectives. One of the easiest ways to accomplish this is
the creation of a cross-functional awareness team. The assimilation of different perspectives provides
insights into the best way to design awareness materials.
An
awareness message should be short and to
the point. The content of the message, whether delivered
electronically or by some hard copy method, should address personal as well as
organizational concerns. This makes the
message more meaningful to individual users.
An example of this approach, the "Did you know..." format, is depicted in
Figure 1.
In
this example, the message includes information relevant to the users' use of
the Internet in general. It warns them
of the possible problems associated with not practicing care when responding to
messages. It also uses a short reference
to the existence of a company policy related to this issue. By making users aware of personal as well as
business risk, there's a better chance they'll remember the awareness message
you're delivering.
There are other ways to deliver
awareness messages. Table tent cards in
the company lunch room, voice mail announcements, and posters are just a
few. Be creative. Continuous use of the same old delivery
methods might result in employee disinterest. The creation of unique delivery
methods may not always be necessary.
Review the general training and awareness programs that exist in your
organization today. These might include,
- New employee training
- Infrastructure training for new network engineers
- Application training for specific system users
- Operational training for system managers
Building awareness training into each of these processes is an effective
way to build user awareness with tools and content appropriate for various
audiences.
User awareness is a continuous process. Like all processes, it's always valuable to
understand the effectiveness of your approach.
Clear measures of effectiveness help you adjust your awareness program
to meet management security objectives.
Some ways to gauge user awareness include on-line tests on your
intranet, formal surveys, and informal staff meetings to discuss security
issues.
Regardless of the method appropriate
for your organization, don't skip this step.
Make sure you're getting value for your awareness program dollars.