Planning a Security Awareness Program

Javid Chizari

9/23/20222 min read

The human element is the weakest link in the security chain, and the security of a system is only as strong as the weakest point of that system.

A study conducted by Stanford University in 2020 and Verizon’s 2022 Data Breach Investigations Report (DBIR) shows over 80% of data breaches were caused or associated with human elements. The average cost of a data breach has been increasing every year; as an IBM report indicated, it has risen from USD 3.86 million per breach in 2020 to USD 4.35 in 2021 in the forms of direct costs of breaches such as cleaning the systems, remediation, labor cost and other costs such as loss of revenue, valuation, and reputation.

Security awareness programs are the key to minimizing this vulnerability and taking advantage of:

  • Building an effective security culture in the organization and spreading the principle that all employees are members of the security team.

  • Increasing the efficiency of technical defense systems.

  • Increasing clients’ confidence and trust in the organization

To achieve these benefits, a security awareness program proposal containing the following components would be essential:

Audiences: each group of audiences would be provided with modified materials based on their needs and security priorities in the form of scheduled courses (physical or virtual), asynchronous computer-based training, emails, and social media.

  • Employees

  • Clients

  • Third parties

Training Materials:

  • General security guidance, as minimum awareness level, for all three groups. This portion could contain topics such as email security, phishing, password security, ransomware, information security, social engineering, safe internet habits, social media presence with its security risks, removable media, wireless network securities, physical security, data management, remote connections, security incidence, and reporting, and privacy.

  • In-Depth. These resources would be carefully crafted for employees based on their special roles in the organization (IT, HR, management, …) and third parties based on their relationship and responsibilities in supply chains or maintenance.

  • Compliance, which would be performed as a role-based program.

Evaluation and Metrics

  • Training quiz and test

  • Phishing campaigns

  • Security violation

  • Attack detection

  • Incident reporting

  • Password strength and periodic changing ratio

  • Policy and audit acknowledgment

  • Surveys

  • Clean desk application