3. CreativityCreativity is a must. While a large budget helps, companies with a small security awareness budget have still been able to establish successful programs. Creativity and enthusiasm can make up for a small budget. An example of creativity includes the use of a security cube during a company event. The security awareness department set up a mock cubicle, with 10 common security violations, in the main hallway. Employees who could identify all 10 violations were entered in a prize drawing. Another effort included giving out boxes of chocolates that included the security policy document, on Valentines Day. Employees reported that they felt compelled to read the document, because they liked the chocolate. These are just examples, but clearly there are an unlimited number of options.
4. MetricsOne of the key factors in having a successful effort is being able to prove that your effort is successful. The only way to do this is to collect metrics prior to initiated new awareness efforts. Without having a baseline, it is hard to demonstrate that your efforts had more than assumed success.
The metrics can include surveys on attitudes. They could also include the use of phishing simulation tools to include pre and post awareness training. You can also examine the number of security related incidents, such as attempted visits to banned websites. When you can show measurable improvements in any aspect of security, you can justify your program, and obtain additional funding and support. Just about every department in a company has to prove their value, and security should not expect to be an exception.
5. Department of howAwareness efforts that focus on how to accomplish actions are more successful than those that focus on telling people that they should not be doing things. Clearly there are actions that should not be allowed, but those should be the exceptions and not the rule. For example, it is not realistic that you can tell employees that they should not be on social networks, but it would be useful to them if you tell them how they can be on social networks safely.
6. 90-day plansMost security awareness programs follow a one-year plan. Those plans also attempt to cover one topic a month. This is ineffective, as it does not reinforce knowledge, and does not allow for feedback or to account for ongoing events. Programs that relied on 90 Day plans, and reevaluated the program and its goals every 90 Days, are the most effective. The most successful program focuses on 3 topics simultaneously that are reinforced regularly throughout the 90 Days. Every 90 days, the program is reevaluated to determine what topics need to be addressed moving forward.
Sign up for CIO Asia eNewsletters.