Information Security Awareness Program – What is the Key to Make it a Success?

Information security awareness 4.82/5 (11)

CISOs and Information security professionals across the industries agree on one key component of any security program, which is the user awareness of security policies and best practices.

Security is as strong as the “weakest link” in your chain. The human factor considered as the challenging component in the security ecosystem, and the awareness programs aimed at building resiliency among the users to address this key risks in any organization.

Although past security incidents prove that many of the security incidents are originally a combination of many factors, human errors or interests did have its role to play in most of these.

So how should organizations address this risk?

Is it by educating and enabling the users with the skills required to handle sensitive information and systems in a secure manner or by limiting the user dependency on the main operations and activities?

It is an interesting debate among the security professionals for a while.

Although awareness programs have an important role to play in the maturity of the security environment in an organization, some of the experts feel that there is a possible chance of overlooking the actual causes, due to an over emphasis on this factor.

They allege that falsified blames on human factor on the losses associated with security breaches does not address the causes of the technology and process ineffectiveness ignored.

What is the truth in this? Can the organization just depend on how security-aware their work force is? Can the banks leave their financial stability to the risk of any employee making a mistake or a fraud?

Let us analyze the key elements of any security ecosystem and the three building blocks of a security strategy.

The system consists of People, Process, and Technology. Building a resilient workforce and customer base is vital to achieve security objectives and to reduce the incidents or at a minimum, the impact of security incidents.

However, at the same time, the program requires equal or more efforts to define and refine appropriate processes that are embedded with security in it and also right and effective security technology identification and deployment.

Best efforts with a collective approach are required to raise security awareness among employees and customers. Effectiveness achieved if the program designed, developed, deployed and monitored in the right manner.

The design must be well thought out and taken into account the business strategy, regulatory requirements, organizational culture, current level of awareness, and techniques. Baselining the awareness level is a major step in the program rollout.

Conducting a phishing email tests or quizzes/surveys, past financial losses due to information security failures are some of the KPI baselines to assess the success of the program.

If the Key Performance Indicators (KPIs) can be tangible and in financial terms, the support, buy-in and budget availability for the program is easy to obtain.

Information security awareness


  • Identify the legal & Regulatory Requirements
  • Identify the stakeholders
  • Identify the business requirements/Needs
  • Determine the organizational goals, risks
  • Align with Business, IT, Information Security, Marketing & Communication Strategy
  • Conducts the scope and needs assessment to understand the training requirements
  • Decide the program techniques and target audience
  • Decide the type of metrics and Key Performance Indicators.
  • Target audience
  • Metrics and KPIs


  • Form a team, identify the stakeholders, roles, and responsibilities
  • Identify the security awareness metrics, and Key Performance Indicators (KPI) – Operational/Delivery and also Lag Measures (Outcome)
  • Develop a Communication & Marketing Plan for the Program
  • Content Design, Development, and Schedules
  • Identify the mode, method, and techniques of training and awareness
  • Create a baseline of the security awareness status
  • Develop metrics, and KPIs
  • Operational/Delivery KPIs
  • Lag KPIs (Outcome)

 Deployment/Execution of the Program

  • Run a marketing campaign to promote the awareness program
  • Establish a proactive and comprehensive communication setup
  • Engage with the stakeholders – Communication Department, Marketing Department, Human Resource, Compliance, and Events Management
  • Setup a 2 or 4-week Awareness Campaign
  • Create a momentum for the program, by quizzes, prizes, brochures, posters, online training, onsite
  • Run the campaign based on a theme
  • Record the feedbacks and improvement areas.
  • Event Management
  • Run the campaign based on a theme
  • Quizzes, prizes, brochures, posters
  • online training, onsite
  • Newsletters, Intranet, Emails, SMS
  • Reward and incentives
  • Feedbacks and improvements


Continual Improvement

  • Measure the metrics, performance indicators
  • Review the positives and negatives
  • Identify improvement areas
  • Take necessary actions to correct some causes
  • Continue with the activities for the rest of the year, based on the pre-planned schedule
  • Lessons learned
  • Improvement areas
  • Corrective Action Plans
  • Continue the Program

Critical Success Factors

  1. Customized and targeted training and awareness program and content
  2. Executive Management support and buy in
  3. Key Stakeholder Engagement
  4. Interesting and innovate techniques and approach
  5. Customized and focused program and content
  6. Executive Management support and buy in
  7. Key Stakeholder Engagement
  8. Interesting and innovate techniques
  9. Holistic Approach
  10. Measure, Improve – KPIs
  11. Show positive approach
  12. Rewards and Incentives
  13. Communicate Rightly
  14. Promote and Market

So does that solve the whole dilemma?

Security Awareness program should be on a continual basis and must be in a very crisp, clear and straightforward manner addressing the target audience in the right mixture.

Overdoing the program or too much communication or information could be detrimental, and make the audience to lose interest. Ideally, engage with the communication department to plan the method and frequency of communication. Similarly, the marketing department can support to market the program and its components to the audience in a very effective manner.

Rather than very static and one-dimensional emails or online/onsite training, interactive sessions with question and answers and quizzes with prizes and certificates could encourage more participation and commitment from the audience.

Once the Information Security Department is ready to demonstrate the business value of the program, the budget requirements for the program can be easily justified.

However, although information security awareness improvement is a critical component of the whole control family, this should be supported by consistent and efficient security-embedded process and adequate security technology.

The right combination of people, process, and technology is the secret behind a mature security posture for any organization.

Instead of a single point of failures, even though an employee or customer makes a mistake or attempts to violate the security policies and controls, the security-savvy processes or the automated controls shall prevent the materialization of the risk and protect the organization from losses. The same could be the case in the failure of a process or a technology component.

Although 100% security is a myth, the objective of a CISO or an Information Security Organization should be the manage the risks in the best effective manner and mitigate with an adequate control based on the risk rating.

The remaining residual risk addressed by having a well-tested and trained incident management program and business continuity plan.

These all should be in alignment with the corporate Risk Appetite so that all the investment in information security is by organization level cost-benefit analysis. The risk evaluation based on financial, regulatory or in certain cases may be just on the fact of the reputational damages.

Security Awareness program should be on continual basis and must be in clear and straightforward manner addressing the target audience in the right mixture. Overdoing the program or too much information could be detrimental, and make the audience to lose interest.

Ideally engaging with the communication department to plan the method and frequency of communication and getting marketing department with their support to market it appropriately is key factors to make the program a huge success.


Information Security Awareness Program is a fundamental component of any Information Security Strategy and ecosystem, but at the same time, ensuring the right processes and effective technology controls shall complement it.

Well designed and tailored Awareness Program engages the audience with innovating and interesting techniques and up-to-date and relevant content.

Buy-in from Executive management and other key stakeholders is crucial to the success of the program, and the success of the program explicitly demonstrated through Key Performance Indicators.


Please rate this content