Step 2: Identifying and Understanding your Audience
The Security Awareness Cycle
The second step in the Security Awareness Cycle is to understand your audience. In this step you should be identifying the various groups within your organization. The purpose of this exercise is to outline each group so that you can identify their unique Security Awareness needs. Each group within the organization, and in some cases individuals within each group, will have unique security roles and responsibilities, and unique Security Awareness needs.
Executive leadership, or senior management, who are ultimately responsible for accepting residual risks to the organization will have different Security Awareness needs than for example the Accounting department or the Human Resources department. The Human Resources department, who may be dealing with health insurance and other Personal Identifiable Information (PII), will have different needs than for example the Information Technology department. Understanding whom your audience is can be critical in order to effectively tailor your Security Awareness training to increase the audience receptiveness to your desire to change their high-risk behaviors and to reinforce desired behaviors.
Now that you have an understanding of whom your audience is and what their needs are it is important to gain an understanding of how they learn in order to best deliver Security Awareness. We can draw from theories from educational psychology to help us with this. People have different cognitive skills, which mean that each person’s ability to learn, and digest new information and knowledge, differ from one another. People also have different styles of learning. Some people prefer a spatial teaching style where the use of images and other visual tools are used in the learning process. Other people may prefer an aural teaching style where the information is delivered in spoken form and some prefer a logical teaching style where logic and reasoning is used in the learning process. And lastly, people have different mental models where we all have a different thought process and understanding of the relationship between our work, tasks, tools, risks, threats, and actions. Having an understanding of this will help when developing Security Awareness support materials for the various groups to make sure it encompasses all the various learning styles.
Step 3: Identifying High-Risk and Desired Behaviors
The third step in the Security Awareness Cycle is to identify behaviors. Security Awareness is all about changing high-risk behaviors and reinforcing desired behaviors in order to reduce and mitigate security risks to the organization.