Information security culture can affect your business, both good and bad. Federico Iaschi, MBCS CISSP CISM, describes the crucial steps that help develop a successful information security awareness programme.

According to the movies, cybercriminals operate in dark and dusty places. They target large companies or governments and use things like ‘worms’ and ‘keys’ to gain access. This caricature has reassured many into a false sense of security. They believe data breaches are something that happens to someone else.

The reality is that cybercriminals rarely fit that profile. They are opportunistic, using scattergun techniques like phishing to hunt for weak points. And their intent is rarely world domination, it’s just money.

It’s easy to understand why phishing has become the favourite method of attack. No matter what enterprise they target, it is almost always easier to trick an employee than penetrate perimeter defences.

A shared responsibility

Higher awareness of cybersecurity and processes can raise the level of security and slow the spread of cyber threats significantly. As controls get better, criminals are increasingly relying on targeting people to make their way into systems and networks.

Think about protecting your home. You don’t just have a gate at the front. You put locks on the doors, maybe add a monitoring system or motion detector. But despite all these security controls, someone can always leave the door open.

Everyone doing business today shares an unfortunate truth: no matter how strong your cybersecurity defences, your employees are your biggest potential source of failure. It is not that we’ve hired bad people, there’s simply not enough understanding around the issues that are important to keep the company safe.

Information security awareness

We need to create a culture that promotes security as a collective responsibility rather than an ‘IT problem’. That means changing behaviours and relating cyber awareness to personal life, family and home. Our goal is to change culture and improve security. This can only happen if people make good decisions and reduce risks every day.

Awareness is not training. The purpose of an awareness programme is to focus attention on security; to help individuals recognise information security concerns and respond accordingly. Brief, intriguing, ‘sticky’ content is key. Include information on personal security, such as protecting children online and securing social media accounts. The more relevant and timelier, the better.

Yes, remind staff of important security policies. But also inform them about new and emerging information security risks, such as internet of things (IoT) attacks, or how phishing and ransomware are evolving. Share new techniques to help them online in their personal and professional lives.

A multi-layered approach

When planning an awareness campaign programme, we need to acknowledge that one size will not fit all. Computer-based training may be effective for certain employees, but not everyone. Newsletters will be read by some but skimmed over or binned by other staff.

We need to use as many channels of communications and tools as possible, to engage the greatest number of employees. Using different approaches, simultaneously, will broaden the scope of the programme and engage a higher number of employees.

Planning an information security awareness campaign

We don’t want to overload our users with information; therefore, it’s worth dividing the campaign into different phases, each one dedicated to discussing a different topic. There are many options you can include.

Think about:

  • Roadshows: one layer of an information security campaign should be face-to-face events where possible. The aim is to bring information security closer to users.
  • Phishing simulations: simulate attacks to assess the level of phishing predisposition in your business. Gather information and data on the employee population, identify repeat offenders, high-risk departments, or locations.
  • Webinars: sessions to introduce campaign topics, appropriately tailored for different audiences.
  • Internal communications: a significant part of a campaign is communication. These include newsletters, blogs, videos and posters.
  • Intranet site: a sense of community is paramount when launching these programmes. We want our users to feel part of it, able to raise their hands, ask questions and actively engage.
  • Virtual/ face-to-face events: cyber security month initiatives; walk-in information security ‘surgeries’; lunch and learn sessions. Well-executed events bring the security awareness programme and the whole security effort to life.

Developing a single point of contact, a one-stop-shop, where users can find the information they need, will provide significant benefits during campaigns. Either Teams channels, Yammer, or SharePoint intranet can create a community. It doesn’t matter which tool you use, just the final result.


Gamification means using the elements of game design in a non-game context. It’s not about creating a training game to teach people specific topics. Rather, you’re trying to change behaviour and posture towards information security. The purpose is to increase motivation to act - one of the fundamental challenges in security awareness.

Gamification offers a way of making information security awareness exciting, but more importantly, memorable. Think of the current craze for escape rooms. Teams work cooperatively to discover clues, solve puzzles and accomplish tasks in a limited amount of time. Using the escape room model lets you create an awareness campaign your teams are going to remember long after your session ends.

This doesn’t mean that all campaigns should include games and competitions, but, going back to the multi-layered approach, gamification has been proven to be highly effective in transferring knowledge to individuals.

Ongoing campaign activities

The cybersecurity threat landscape is changing rapidly. Every month, there are new issues to tackle that didn’t even exist before. You need to regularly review and refresh your information security awareness campaign to make it useful and relevant.

Create a continuous programme of education. Developing a strong security culture is not a one-off activity but an ongoing process you need to constantly nurture.

Gather feedback from your participants. Provide opportunities for them to ask questions, add comments and address concerns. Update your programme based on the results. Use metrics to help management make informed judgment about its effectiveness.

Thorough evaluation of the campaign (against metrics and performance objectives) lets you report on the campaign’s effectiveness and to improve future initiatives. It’s not simply gathering and reporting numbers. Instead, you’re acting in response to the numbers in a continuous dialogue between employee behaviour and security activities.

Choosing metrics

Metrics are massively important to measure implementation effectiveness, reporting to management and as a basis for an improvement plan.

Here are some metrics you should consider:

  • Incidents reported by users: when launching an information security awareness campaign, one of the first affects you can expect is an increase in the number of user reports. The higher the increase, the better. It means that your campaign is working and people know what and how to report.
  • Suspicious link clicks: whilst you should have an increase of reporting users, you should also experience a decrease in clicks on suspicious links. You would normally gather this through internal phishing simulation tests.
  • Engagement levels: measuring user engagement, for example, intranet site visits, is a good way to understand whether you are going in the right direction.

By collecting regular metrics, you can adjust your programme to the measured effectiveness. By determining what is working and what is not, you can tailor future programmes based upon lessons learned.

Key takeaways

The focus of information security awareness relies on reaching broad audiences with attractive packaging techniques. One size doesn’t fit all. We need different tools to engage all employees. We need to spend our efforts understanding the business and our audience.

Good communication is always essential to influence any kind of behaviour. Everyone needs a shared understanding of the importance of information security and the need to actively contribute. Build a culture of shared ownership of information security rather than blame and fear of making mistakes. All employees throughout the business must be aware of their responsibilities and the need to develop a risk-based approach, focusing effort where it is most needed and will have the most impact.

Awareness is not training. The key aim is not about employee training and education or delivering concrete knowledge about any specific standard or regulation, like GDPR. Your focus is altering the mindset and behaviours of the workforce, to adapt to changing environments and really live and breathe a security culture as part of organisational DNA.