An organization’s security awareness programme tends to be focused on the policies and controls put in place by the organization. It’s very difficult for this type of material to be anything but dry. What’s worse is that the impact on the individual can be lost. And, without impact, awareness is just noise.
If someone does not feel threatened, there is no sense of urgency or importance.
Relate awareness to the individual
I started Lunch and Learns in one organization to exclusively teach tips on how people could secure themselves and their families at home. I never even mentioned office policies or procedures.
The material covered things like:
- recent security news
- tips on teaching secure computing for kids
- how to maximize the security of personal accounts (bank, personal mail, etc.)
- exciting stories of hackers and their methods (pulled from my honeypots).
All of it was driven by the questions and concerns of the participants themselves.
The results were surprising
Even though attendance was not required, a lot of people came, not just once, but to subsequent sessions. I also found that those who had been to these sessions would reference the sessions when I would support them in security incidents. The attendees “got it” and deeply internalized the technical details and concepts to the point where they naturally applied what they learned in their work.
Teach them to secure themselves
You want your organization’s members to learn and internalize the material that you are teaching them, but sometimes you need to teach them to secure themselves before they will be a partner in securing your organization.
Have you used something like this? Tell us about your experiences in the comment section.