What are the 5 most important things to keep in mind when implementing a security awareness program?
1. Adult Learning. A security awareness program is a waste of time and money if information is not retained and a positive culture change is not initiated.
2. Content must be relevant to the audience. While some content may be mandated by a compliance standard (NIST/HIPAA etc.), all content must be formatted and presented in a way that provides relevance to the learners.
3. There is more to security awareness than phishing. Many programs consist almost entirely of phishing-centric content. It is true that phishing is one of the most important topics in security awareness, but it is far from the only topic. Focusing too much on phishing creates a false sense of security and gaps in awareness.
4. You don’t have to create IT experts out of your employees. The goal of security awareness is achieved by giving people the skills to recognize suspicious activities and to know who and when to call for help.
5. You are not making a “human firewall”. To think you are able to program humans to be human firewalls is not only unrealistic but also creates dilemmas in your goals and planning. What you are looking to do is raise awareness and work toward a form of intellectual herd immunity.