The Security Awareness Cycle

Used by security practitioners and organizations all around the world The Security Awareness Cycle is a process methodology that provides a holistic approach to security awareness by focusing on changing high-risk behaviors and reinforcing desired behaviors.

The Security Awareness Cycle is a process methodology based on my own award-winning graduate project work titled “Creating a Security Culture: A Guideline to Security Awareness”. It offers a complete continuous cycle for implementing and maintaining a Security Awareness program that includes means for continuous improvement and for measuring the success of the program with the long term goal of creating a security culture.

The concepts behind the Security Awareness Cycle was to create a step-by-step process that takes you through the entire journey from the first steps of creating and collecting baseline Security Awareness metrics to delivering the message to your target audience and that, when repeated, provides the means for properly identifying areas in your program that needs additional focus or improvement.

If you are new to The Security Awareness Cycle a good place to start is to read the article on Creating a Security Culture which outlines the key benefits of a security awareness program, factors that contribute to the problem, impacts of poor implementation, and how to solve the problem. I also recommend reading the article on Building the Foundation for your Security Culture which outlines the building blocks necessary to identify your organizations intended security culture.

 

 

The Security Awareness Cycle looks at the problems around the 8th layer of security, our employees, from two different perspectives. From an Information Technology management perspective we are interested in how we can best secure our organization while maintaining or improving operational efficiency. And from an educational psychology perspective we are interested in how we can change our employees’ high-risk behaviors and reinforce desired behaviors in order to reduce risks to the organization. People have different cognitive skills, different styles of learning, different mental models, and different priorities. Having an understanding of this is critical to successfully deliver a clear message that the audience understands and is critical to changing behaviors. By tackling the problem from both perspectives we can ensure better success in creating a Security Awareness program that will contribute to the building of a security conscious culture and ensure the continued operations of the business. The Security Awareness Cycle will help bridge the knowledge gap, lower the barrier to entry when deploying a Security Awareness Program, and ensure greater success. Bridging the knowledge gap is necessary so that Security Awareness can be delivered by Information Security professionals who aren’t educators, lowering the barrier to entry is necessary in order to persuade organizations who are still waiting to implement a Security Awareness program, and lastly, a solution will ensure greater success with implementation.

Tom A. Mannerud, M.Sc., CEH, CHFI

Information Security Practitioner

The Security Awareness Cycle

Step 1: Metrics
The first step in the Security Awareness Cycle is to collect metrics in order to establish a baseline to measure your Security Awareness Program against so that you, in later iterations, can measure the success of your program and so that you can identify areas in need of improvement.

LEARN MORE

Step 2: Identifying and Understanding your Audience
The second step in the Security Awareness Cycle is to identify and gain an understanding of your audience. In this step you should be identifying the various audiences or groups within your organization. The purpose of this exercise is to outline each group so that you can properly identify their unique Security Awareness needs.

LEARN MORE

Step 3: Identifying High-Risk and Desired Behaviors
The third step in the Security Awareness Cycle is to identify behaviors. Security Awareness is all about changing high-risk behaviors and reinforcing desired behaviors in order to reduce and mitigate security risks to the organization.

LEARN MORE

Step 4: Identifying Solutions to Facilitate Behavioral Change
The fourth step in the Security Awareness Cycle is to identify solutions to mitigate the risk or to facilitate a behavioral change. This is where you need to decide how you want to handle the risks identified in the previous steps.

LEARN MORE

Step 5: Creating Security Awareness Material
The fifth step in the Security Awareness Cycle is to create the Security Awareness material, which could take form as email templates, newsletters, posters, screensavers, PowerPoint presentations, and others. The chief purpose of this material is to support the delivery of Security Awareness and training.

LEARN MORE

Step 6: Delivering the Message
The sixth and final step in the Security Awareness Cycle is to deliver the message. In this phase Security Awareness material is delivered to the audience, i.e. your employees.

LEARN MORE

The Security Awareness Cycle

After the organization have defined its overall security strategy, created and implemented security policies and procedures, defined security roles and responsibilities, and secured management support for a security awareness or security culture program it is time to...

read more

Building the Foundation for your Security Culture

In order to create and foster a security conscious culture within our organizations it is essential that we first lay the foundation for which to build upon. Just like we would not build a house or a building without a solid foundation to place the remaining structure...

read more

Creating a Security Culture

Society is changing rapidly and organizations increasingly interconnect in order to keep up with customer demands. The increased use of the Internet to conduct business, the transition from paper to digital media, the increased use of social networks, and the cloud...

read more

You may use The Security Awareness Cycle and the materials made available here for free in accordance with the Creative Commons Attribution license.

Pin It on Pinterest

Share This