Building a Robust Security Awareness Program

Published on
11,704 Points
4 Endorsements
Last Modified:
IT Consultant. Data / Systems / Infrastructure / Security Architect. My primary purpose in life is that of learning, creating, and sharing.
Awareness Program – Establishes a common understanding – Everyone plays a role!


Organizations often spend money on security technology or services and then find that these initiatives fail to achieve their objectives because front line employees or senior management do not support them. Don’t forget that all your security measures and expensive security hardware are not effective if you have an “uninformed” employee.

Security awareness is vital at all levels of an organization. Implementing appropriate measures to create that awareness among all employees will lead to the desired behavior in relevant-security situations. Educating employees about security threats and cyber-attacks should not be considered a waste of money, but rather an investment in mitigating threats. Also, it is prudent that employees know whom to contact and what procedures to take in case they suspect a hacking attempt or any other threat.

Security awareness and training both play a role in an incident response [1a] so that the person whose primary roles fall outside of information security knows who and where to call for various levels of incidents. Without timely reporting to the right people, it will be much more difficult to mitigate the risk of a security breach causing harm to your organization. It will help all personnel recognize threats [1b], see security as beneficial enough to make it a habit at work and home, and feel comfortable reporting potential security issues. This group of users should be aware of the sensitivity of protected data, even if their day-to-day responsibilities do not involve working with it.

Education, Training, and Awareness

Learning is a continuum (Figure 1); it starts with awareness, builds to training, and evolves into education. The continuum is further described in the National Institute of Standards and Technology (NIST) SP800-50 which is titled "Building an Information Technology Security Awareness and Training Program" [2].

Figure 1

To change the security culture of your organization, your staff must be more than just aware they must participate in the act of learning. Awareness of a topic is when a learner passively receives information from instruction, whereas training is a more active process with established goals, the understanding of learning objectives, and an expected change in behaviors. Training of a learner involves building essential knowledge and developing skills they will use when faced with specific scenarios.


The program should be aligned with the overall business strategy, adaptive to changing threats.

  • Ongoing Effort
  • Business Risks
  • Desired Behaviors
  • Create a Risk-Aware Culture

National Institute of Standards and Technology (NIST)

Security awareness is addressed very differently within regulations and standards. An analysis and differentiation of the regulations and standards can be beneficial to meet compliance requirements more efficiently. A company should be aware of which regulations are relevant and applicable. In general, applicability depends heavily on the business, which means organizations are often affected by different requirements at the same time. The NIST standard can help you design or update your internal security awareness programs.

The NIST publishes many different standards [3]. In the standard 800-533 (Security and Privacy Controls for Federal Information Systems and Organizations) security awareness is addressed in the form of four relevant controls (AWARENESS AND TRAINING CONTROLS - AT) which are [4]:

  • AT-1 Security Awareness and Training Policy and Procedures; Policies and procedures with appropriate content must be created. These must be disseminated within the organization, regularly reviewed and updated.
  • AT-2 Security Awareness; Training must be carried out for new employees, in the case of relevant changes to information systems, and repeated in a defined frequency. It is recommended to include simulated cyber-attacks, as well as detection and reporting of threats.
  • AT-3 Security Training; Role-based security training must be conducted, e.g., for software developers or personnel administering security systems.
  • AT-4 Security Training Records; Document and monitor individual system security and privacy training activities

Components of a Program

  • Identify the program scope, goals, objectives, and outcomes
  • Identify the training staff
  • Identify target audiences
  • Prepare management and employees for the training
  • Administer the program
  • Maintain the program
  • Evaluate the program

The Adaptive Awareness Framework designed by MediaPro [5a] [5b] which is tightly aligned to the NIST Cybersecurity Framework [3], offers businesses an actionable and measurable way to introduce better security awareness into organizations (Figure 2).

Figure 2

Best Practice to Build Security Awareness Program

The end goal of a security awareness program is to produce professionals capable of vision and proactive response (Figure 3). This list of security awareness best practices will help you improve the effectiveness and comprehensiveness of your program [9]:

  • Understand your goals and what your current organizational culture will tolerate.
  • Understand your human risks.
  • Understand your capacity.
  • Have explicit, measurable goals before starting.
  • The program should be easily adjusted, measured and easy to digest.
  • Job performance evaluation should include a security component to evaluate each employee’s contribution to and cooperation with security responsibilities such as loss reporting and risk identification.
  • Create job descriptions that contain clear statements of accountability for information security.
  • Create an internal newsletter of relevant and timely topics to build awareness [6].
  • Educate employees on the different policies and when it applies to sign on a policy.
  • Educate users on how to identify and report suspicious activities.
  • Educate employees on current events and how not to fall victim to security-related [7].
  • Periodic awareness updates are important; otherwise, the level of awareness among the employees would steadily decrease.
  • Post messaging in places that staff gathers and interacts with information. This includes physical bulletin boards and internal mail stations.
  • Detail the most significant threats to the organization such as physical security threats.
  • Implementing your phishing campaigns are a great way to evaluate and formulate a security awareness program for your organization [8].
  • All training activities should be documented, monitored and individually recorded as per NIST Security Training Records control (AT-4) recommendation. Maintain records of all staff who have and have not completed training so that managers can be reminded and remedial action can be taken.
  • Awareness measures upon hiring new employees are a must. Otherwise, there would be a high level of risk posed by newly hired employees, due to ignorance of organization-specific processes, structures, and systems.
  • Apply the program for all employees.
  • Examine and assess security awareness and training policies.

Figure 3


The ability of attackers to manipulate the human element in the organization is one of the best ways to gain access to an organization that has invested heavily in technical controls but has not invested enough on employee training and awareness.

Without comprehensive education, user-based attacks [10], such as social engineering, will be a significant source of risk for an organization. In addition to teaching users about the inherent risks of using technology, it is essential to educate them on the policies and procedures required for them to operate safely within the organization's systems. Training should also take into account the types of access and roles that employees have.


[1a] https://www.experts-exchange.com/articles/31763/Incident-Handling-and-Response-Plan.html

[1b] https://www.experts-exchange.com/articles/33330/Threat-Modeling-Process-Basics-and-Purpose.html

[2] https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-50.pdf

[3] https://csrc.nist.gov/publications/sp

[4] https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf

[5a] https://www.mediapro.com/why-mediapro/methodology/

[5b] https://www.mediapro.com/blog/ebook-how-the-nist-cybersecurity-framework-improves-security-awareness/

[6] https://www.sans.org/security-awareness-training/ouch-newsletter

[7] https://www.mitre.org/capabilities/cybersecurity/situation-awareness

[8] https://info.knowbe4.com/free-phish-alert

[9] https://www.infosecinstitute.com/best-practices-security-awareness-training/

[10] https://www.pensar.co.uk/blog/infographic-10-disturbing-facts-about-employees-and-cyber-security

If you found this article to be helpful, please do click the Thumbs-Up icon below. This lets me know what is valuable for EE members and provides direction for future articles.

Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free