Secrets to a Successful
Security Awareness Program

Think about cyber security incidents and the images that come to mind are evil hackers breaking into networks to steal data. Or, ransomware attacks that shut down systems at banks or hospitals, originating from foreign nation states. However, serious as these threats are, they aren’t the biggest risk organizations face today. It’s uninformed and careless employees.

Three employees looking upset at computer over mistake made

What is the risk related to employees and security incidents? IBM¹ found that more than 95% of all incidents investigated found “human error” a contributing factor

The obvious answer to addressing employee risk is to implement a security awareness program. Unfortunately, many security awareness programs fail – people don’t take training, they don’t change behavior, and security incidents continue.

Which leads us to the question, how can you create an effective security awareness program? First of all, your training program should address key security risks that your employees face including:

  • Phishing
  • Password creation and management
  • Clean desk policy
  • Protecting sensitive information
  • Drive-by malware
  • Lost and stolen mobile devices
  • Securing Internet of Things (IoT) devices
  • Using the cloud securely
  • Privacy laws, policies and procedures
  • Unintended disclosure
  • Social engineering
  • Insider threats
  • Incident response

Remember that new threats are continually launched by bad actors, and existing cyber threats are evolving. As new threats emerge, it is important to keep content and training up-to-date.

Assuming that you are providing security awareness training on the right topics, how can comprehensive training be delivered most effectively?

Image showing group on mountain arms raised depicting best practices

Here are seven best practices to follow to ensure your program's success:

  1. Offer high quality content that is engaging and relevant.
  2. Make content interactive, requiring participation. Include learning exercises rather than just static content like PowerPoint presentations or one-way videos.
  3. Keep it brief. Shorter is easy to remember. Ten minutes is a good guide.
  4. Offer training frequently. Train throughout the year – rather than one and done annually.
  5. Use positive messages. Don’t just punish, but encourage. Offer helpful solutions.
  6. Use gamification and game-based learning. Studies show this works best to ensure “sticky” (memorable) content.
  7. Use staff assessments, quizzes, phishing simulations and other measurements only after enabling your employees with the right materials and important messages to get their jobs done well.

Another important element to ensure success is management buy-in and executives leading by example. A holistic training program ensures top-driven priority. After you analyze your organization, build a plan and strive for excellence in delivering that plan to the enterprise.

You can create a culture of openness, where reporting incidents is normal, and not a bad thing for staff. Table-top exercises and/or other group activities can aid in encouraging this behavior. Also, using multiple communication channels can ensure that everyone is getting the message – whether that be online, with posters or in live group meetings.

In conclusion, a successful security awareness program requires ongoing vigilance, with both coordinate training and phishing simulations working well together.


¹ IBM Security Services 2014 Cyber Security Intelligence Index. IBM Global Technology Services. 2014.
Seniors executives meeting in boardroom