December 29, 2014 |

Three Steps To Building A Successful Security Awareness Program

Build your Security Awareness Program

A recent Insider Threat report from Vormetric revealed that only 27% of its 700 surveyed IT decision makers block privileged users’ access to data. Just within the past year, we've seen several data breaches and leaks occur as a result of insider threats. It’s important for organizations to defend their network perimeter against the malicious attackers and hacktivists trying to infiltrate valuable company data; but companies need to establish a secure internal system that can prevent a breach from occurring within their infrastructure. This starts with implementing an Information Security Awareness Program.

Companies can minimize insider threats and enhance their security strategy if they implement a successful Information Security Awareness Program. This program can serve as the foundation for your security program and the momentum that drives your overall security strategy. An effective security awareness program will answer three questions: “Who? What? And How?”

Here are three steps to help get you started on planning and implementing a successful Information Security Awareness Program:

Steps to Build Your Security Awareness Program

  1. Complete a Needs Assessment

The first part of the needs assessment process is selecting areas within your organization that you want to include in your program. These can be general areas or areas that function within multiple departments of your organization.

For Example:

  • Information Security Policies
  • New Employee Orientation
  • Industry Trends
  • Security Incidents
  • Laws/Regulations
  1. Promoting Awareness & Change

A security program should identify and cover training topics that will have a significant impact in supporting an organization’s goals and priorities. The SANS Institute Training content is communicated in the workplace effectively so that all parties (employees, contractors, c-level, etc.) will have a strong understanding on how to follow the policies as well as recognize, prevent, and report incidents.

The second portion to promoting awareness and change is data collection. What educational resources are available to my employees? What have they already been exposed to? These are great starter questions to point you in the direction of identifying your existing resources; current awareness and training material, training schedules, reports of who has and has not completed required training, etc. These can serve as your base for determining what additional training resources your organization will need.

Steps to get you there:

  • Create a starting point for your company’s security awareness level (human risk survey, phishing assessment etc.)
  • Identify the parties who you want to target in this program, not everyone will have to go through the same training so it may be tailored according to the employee’s role (Help Desk will vary from Marketing)
  • The SANS Security Awareness roadmap discusses that it is not necessarily the length of the content that you are teaching to your employees, it is what and how you will make the greatest impact for them to understand the policies.
  • Reinforcement training throughout the year is vital to building a successful security awareness program as well. Examples of this type of training ranges from newsletters, assessments, and blogs.
  1. Security Awareness Training as continuous process

Security Awareness training should be an instilled process in your organization in order for employees to have an understanding. Technology is ever changing and the training content should adapt and be up to date to current trends, threats etc..SANS introduces steps you will need to take to implement an ongoing security awareness training program:

  • Create a schedule of when the company will review the program each year
  • Facilitate an assessment of your security awareness program and compare the results to your original starting point of how you wanted to originally structure the program
  • For best results to modify the program, survey employees for their opinions and feedback about the program. This can include what they liked/did not like, specific topics that they found intriguing or that helped them with their position
  • Review the content and all feedback from the survey so you can identify where you will need to implement, remove, or modify topics of the program.


In addition to developing a long term training schedule for your staff, it is important to measure the awareness program by utilizing metrics. The reason metrics are vital to your security awareness program is because the company as whole needs to understand how the program has improved with security awareness and to measure your return on investment of the program. You will need to decipher which metrics you would like to measure that would benefit your company. Examples of metrics include but are not limited to:

  • Number of employees who complete/did not complete the security awareness training program
  • Test results of employees for before and after training: look at which topics impacted their security awareness, their knowledge of policies, etc.
  • Measure the number of employees who fall victim to phishing scams, viruses etc.


SANS Institute is cooperative research and education organization. They develop programs that assist companies and individuals meet their certification goals and other security training initiatives. This blog was developed as a summary of their Security Awareness Roadmap to help companies develop their own security awareness training program.

Other Articles

  • October 12, 2015 IT Security Awareness Best Practices: Healthcare Today, many Health Care organizations have such a complex network infrastructure and it is becoming harder each and every day to protect patient information (HIPAA) and first and foremost, securing your information security design. […]
  • July 7, 2016 Cyber Hunting Initiative Simply put, hunting is an active approach for detecting and defeating today’s modern adversaries. Hunters take different approaches to identify indicators and let them guide them while always assuming a breach. Their process is simple: […]