The 7 elements of a successful security awareness program

When we were asked to keynote a recent CSO event, it was a pleasant surprise that the top concern of the CSOs was "security culture." From performing many security assessments and penetration tests, it is sadly obvious that even the best technical security efforts will fail if their company has a weak security culture. It is heartwarming that CSOs are now moving past straight technological solutions and moving towards instilling a strong security culture as well.

To determine the components of a truly successful security awareness program, we performed a study to identify critical success factors for building one. We interviewed security awareness practitioners at Fortune 500 companies and surveyed the security staff and general employees at the companies. Additionally, we validated the results and gathered additional information at a security executive event in the United Kingdom with more than 150 security executives participating.

While there are many more lessons to be learned, what follows are the 7 most notable habits we found that lead to successful security awareness programs.

Counterpoint: " Why you shouldn't train employees for security awareness," by Dave Aitel of Immunity Inc.

1. C-Level supportAwareness programs that obtain C-level support are more successful. This support inevitably leads to more freedom, larger budgets and support from other departments. Anyone responsible for running a security awareness program should first at least attempt to obtain strong support, before focusing on anything else.

Yes, getting this level of support can be difficult, but our research also found best practices on how to obtain this support. Successful efforts frequently highlighted that security awareness was required for compliance and that awareness efforts provided a return on investment that will inevitably save the company money. They also created special materials specifically for upper-management, such as newsletters and short articles that highlighted relevant news and tips that were specific to executives.

2. Partnering with key departmentsSuccessful awareness programs found a way to involve other departments, such as legal, compliance, human resources, marketing, privacy and physical security. While it is easier to get this support if you have the C-level support, these departments frequently have mutual interests and might be amenable to providing additional resources, such as funding or distribution. Frequently, these departments can make security awareness efforts mandatory. For example, the legal and compliance departments carry a great deal of influence throughout the organization and can make security awareness a required component of other processes, such as new hire indoctrination.

To obtain this support, you might have find that you have to incorporate the needs of the cooperating departments with the general security awareness efforts. For example, you might suggest that you can use a security awareness newsletter to include compliance content. If it gets you the support you need, the effort is definitely worth the trouble.

3. CreativityCreativity is a must. While a large budget helps, companies with a small security awareness budget have still been able to establish successful programs. Creativity and enthusiasm can make up for a small budget. An example of creativity includes the use of a security cube during a company event. The security awareness department set up a mock cubicle, with 10 common security violations, in the main hallway. Employees who could identify all 10 violations were entered in a prize drawing. Another effort included giving out boxes of chocolates that included the security policy document, on Valentines Day. Employees reported that they felt compelled to read the document, because they liked the chocolate. These are just examples, but clearly there are an unlimited number of options.

4. MetricsOne of the key factors in having a successful effort is being able to prove that your effort is successful. The only way to do this is to collect metrics prior to initiated new awareness efforts. Without having a baseline, it is hard to demonstrate that your efforts had more than assumed success.

The metrics can include surveys on attitudes. They could also include the use of phishing simulation tools to include pre and post awareness training. You can also examine the number of security related incidents, such as attempted visits to banned websites. When you can show measurable improvements in any aspect of security, you can justify your program, and obtain additional funding and support. Just about every department in a company has to prove their value, and security should not expect to be an exception.

5. Department of howAwareness efforts that focus on how to accomplish actions are more successful than those that focus on telling people that they should not be doing things. Clearly there are actions that should not be allowed, but those should be the exceptions and not the rule. For example, it is not realistic that you can tell employees that they should not be on social networks, but it would be useful to them if you tell them how they can be on social networks safely.

6. 90-day plansMost security awareness programs follow a one-year plan. Those plans also attempt to cover one topic a month. This is ineffective, as it does not reinforce knowledge, and does not allow for feedback or to account for ongoing events. Programs that relied on 90 Day plans, and reevaluated the program and its goals every 90 Days, are the most effective. The most successful program focuses on 3 topics simultaneously that are reinforced regularly throughout the 90 Days. Every 90 days, the program is reevaluated to determine what topics need to be addressed moving forward.

7. Multimodal awareness materialsThe most successful programs are not only creative; they rely on many forms of awareness materials. While there is a potential place for learning management system training modules, too many programs rely on them completely as an awareness program. Successful programs incorporate a variety of awareness tools. This includes newsletters, posters, games, newsfeeds, blogs, phishing simulation, etc. The most participative efforts appear to have the most success.

Another issue to consider is that materials should attempt to connect with different generations. For example, some videos seem to connect best to young males. You then need to use other videos or materials that connect with older employees and females. There is definitely no such thing as "One Size" security awareness.

ConclusionsThere were many more habits that led to either success or failure of security awareness programs, but these are a starting point as to where you should begin. The big takeaway is that habits drive security culture, and there are no technologies that will ever make up for poor security culture. Awareness programs, when properly executed, provide knowledge that instills behavior. Security should definitely be common sense, but you cannot have common sense without providing common knowledge.

Anyone interested in downloading the full research report can do so at

Read more about security awareness in CSOonline's Security Awareness section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitySecurity Leadership | Security AwarenessSecurity Leadershipsecurity awareness

More about CSOInc.

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler and Samantha Manke

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts