The Security Awareness Cycle
Used by security practitioners and organizations all around the world The Security Awareness Cycle is a process methodology that provides a holistic approach to security awareness by focusing on changing high-risk behaviors and reinforcing desired behaviors.
The Security Awareness Cycle is a process methodology based on my own award-winning graduate project work titled “Creating a Security Culture: A Guideline to Security Awareness”. It offers a complete continuous cycle for implementing and maintaining a Security Awareness program that includes means for continuous improvement and for measuring the success of the program with the long term goal of creating a security culture.
The concepts behind the Security Awareness Cycle was to create a step-by-step process that takes you through the entire journey from the first steps of creating and collecting baseline Security Awareness metrics to delivering the message to your target audience and that, when repeated, provides the means for properly identifying areas in your program that needs additional focus or improvement.
If you are new to The Security Awareness Cycle a good place to start is to read the article on Creating a Security Culture which outlines the key benefits of a security awareness program, factors that contribute to the problem, impacts of poor implementation, and how to solve the problem. I also recommend reading the article on Building the Foundation for your Security Culture which outlines the building blocks necessary to identify your organizations intended security culture.
The Security Awareness Cycle looks at the problems around the 8th layer of security, our employees, from two different perspectives. From an Information Technology management perspective we are interested in how we can best secure our organization while maintaining or improving operational efficiency. And from an educational psychology perspective we are interested in how we can change our employees’ high-risk behaviors and reinforce desired behaviors in order to reduce risks to the organization. People have different cognitive skills, different styles of learning, different mental models, and different priorities. Having an understanding of this is critical to successfully deliver a clear message that the audience understands and is critical to changing behaviors. By tackling the problem from both perspectives we can ensure better success in creating a Security Awareness program that will contribute to the building of a security conscious culture and ensure the continued operations of the business. The Security Awareness Cycle will help bridge the knowledge gap, lower the barrier to entry when deploying a Security Awareness Program, and ensure greater success. Bridging the knowledge gap is necessary so that Security Awareness can be delivered by Information Security professionals who aren’t educators, lowering the barrier to entry is necessary in order to persuade organizations who are still waiting to implement a Security Awareness program, and lastly, a solution will ensure greater success with implementation.Tom A. Mannerud, M.Sc., CEH, CHFI
The Security Awareness Cycle
Step 1: Metrics
Step 2: Identifying and Understanding your Audience
Step 3: Identifying High-Risk and Desired Behaviors
Step 4: Identifying Solutions to Facilitate Behavioral Change
Step 5: Creating Security Awareness Material
Step 6: Delivering the Message
After the organization have defined its overall security strategy, created and implemented security policies and procedures, defined security roles and responsibilities, and secured management support for a security awareness or security culture program it is time to...read more
In order to create and foster a security conscious culture within our organizations it is essential that we first lay the foundation for which to build upon. Just like we would not build a house or a building without a solid foundation to place the remaining structure...read more
Society is changing rapidly and organizations increasingly interconnect in order to keep up with customer demands. The increased use of the Internet to conduct business, the transition from paper to digital media, the increased use of social networks, and the cloud...read more
You may use The Security Awareness Cycle and the materials made available here for free in accordance with the Creative Commons Attribution license.