Tactical Advice

How to Start an IT Security Awareness Program

These tips can start you down the path to developing an effective security awareness program.
IT Security Awareness: It Starts with the User

Are your users aware of their responsibilities for preserving the security of your organization? Do they know how to recognize and react to a phishing scheme? What about the proper response when a strange security-related error message appears on their screen?

One of the most important components of an effective information security program is a strong user-awareness effort designed to provide end users with the answers to these questions. Many of the most dangerous security threats depend upon the failure of users to recognize phishing, social engineering and other attacks that target this weak link in the security chain.

Crafting a Compelling Message

Think about the tools used for security awareness programs and the environments in which they compete for attention. A reminder e-mail might be one of hundreds of unread messages in employees’ inboxes. Posters hanging in hallways and break rooms are cluttered with many other messages. Awareness programs might be attended by people who are checking their e-mail and making notes for their next meeting at the same time. For these reasons, it’s imperative to create a message that stands out from the crowd and has an impact on the audience.

Brothers Chip and Dan Heath, wrote a book called Made to Stick: Why Some Ideas Survive and Others Die that highlights these issues and offers six characteristics you should try to incorporate into your messaging. The six items covered by their SUCCESs model are:

  • Simple: Remember, you have their attention for only a few seconds. Capture their active interest and impart a message that is memorable. Consider a phishing attack. What’s easier to remember:

    “Only use your password on sites that end in ourcompany.com.”


    “The password that you use for your company account should be different from all other passwords that you use. When a website prompts you for your password, check that it is either an official company website or it is on the list of external sites approved by the IT department. If you have questions, please contact your IT support representative.”

    The answer might seem obvious, but you’d be amazed how many people opt for the “more correct” but more complex second message. Keep it simple!

  • Unexpected: Grab people’s attention by standing out from all of the other clutter. Consider using images and words that are strikingly different from their surroundings.

  • Concrete: Put the message into concrete, everyday terms. Instead of talking about vague “risks to company security,” give concrete examples. Use something along the lines of “Four of your colleagues had their accounts compromised last year. This resulted in 12 hours of website downtime and cost us $570,000 in revenue.”

  • Credible: Why should your audience believe you? A story of business loss sourced to a functional manager known to your employees is much more credible than a similar story told in a general, abstract sense without attribution.

  • Emotional: Make your audience care about your message. Your specific emotion will vary depending upon your type of business and corporate culture. For example, a defense contractor with a message of “Do your part to protect our national security” would likely appeal emotionally to staff.

  • Stories: Consider using first-person storytelling to explain to people the behaviors you want them to exhibit. For example, a victim of a phishing attack explaining how he forgot to check the website address before providing his password will help people put themselves in the victim’s shoes.

Successful security awareness campaigns incorporate as many of these characteristics as possible. It’s not practical, of course, to cram them all into a single message, but you should take the time to evaluate any planned communication campaign against this checklist to fine-tune the message.

Fleshing Out the Awareness Program

In addition to creating a compelling message, come up with a good mixture of awareness efforts that complement each other. Effective campaigns include a combination of elements designed to provide information, increase awareness and remind people of their information security responsibilities on a regular basis.

One of the most important elements of an information security campaign is the initial training that employees receive when they begin working at an organization. This is an opportunity to impress corporate standards upon them before they’ve learned potentially bad habits from their coworkers or adopted work patterns that may pose security risks. Whether training is incorporated into a larger human resources orientation effort or offered as stand-alone training, consider covering the following topics:

  • Handling of sensitive information
  • Passwords and other authentication mechanisms
  • Social engineering and phishing
  • Compliance responsibilities
  • VPN use
  • Other topics important to your organization

While initial training is important, it’s also essential that the messages are repeated on a regular basis. One way to do that is with refresher training offered to all employees on an annual basis. As with initial training, you may be able to piggyback on other annual training provided by the HR group. Refresher training should cover the same messages as your initial training, but you might consider to reducing the length of the training program to accommodate the work schedules of active employees.

Also, supplement the annual training program with periodic reminders on important topics. This is where e-mail, posters and other marketing materials come into play. Use them to highlight time-sensitive issues and remind people of very specific actions that they can take to improve the organization’s security posture. Remember, you’ll have only a few seconds to grab staff attention, so be sure to follow the SUCCESs model.

Sign up for our e-newsletter

About the Author

Mike Chapple

Mike Chapple is an IT professional and assistant professor of computer applications at the University of Notre Dame. He is a frequent contributor to BizTech magazine, SearchSecurity and About.com as well as the author of over a dozen books including the CISSP Study Guide, Information Security Illuminated and SQL Server 2008 for Dummies.


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.