Need three email template to encourage my employees to complete Security Awareness Training.

Posted on 2014-08-28
Last Modified: 2016-05-12
Two more weeks left before the deadline and I still have a number of employees who have not yet completed the training. I think at this point, I need to send an email to the management team to have there subordinates complete and acknowledge the security policy, and also an email targeting those that have not completed their training that there account will be locked if they do not complete it before the deadline.

That said, can someone please help me come up with a few email template for:

1) Email to management team to encourage their subordinates to complete and acknowledge the security policy.

2) Email indicating there account will be locked if they do not complete training before the deadline, because they are deem a security risk.

3) Email reminder to take security courses before deadline (this is the third reminder email by the way). If employees still do not comply, I will schedule a meeting session with them to go over security awareness.

The challenge is dealing with the executives, who thinks they are to good for this and it's a waste of time. I'm sure I will have the buy in from my VP of IT to locked out users, but I'm sure the executives will have a fit about that.
Question by:freebeee01
    1 Comment
    LVL 15

    Accepted Solution

    I know you're asking for templates and forms of words, but consider the following first:-

    The problem you seem to be facing isn't so much one of wording, but rather one of motivation and enforcement. You understand the need for security awareness training for employees, and the company has at least a dim awareness that such training would be a Good Thing; however, unless you have the unequivocal support of senior management in delivering this course then you're wasting your time.

    In the worst case scenario you'll be made the scapegoat for any failures in implementation of the course, and even if you avoid that fate then the reluctant beneficiaries of the course will pay no attention to the principles of safe and vigilant internet and email usage and things will continue as if it had never happened.

    Locking users' accounts is unlikely to be productive, as the employees will still turn up for work; preventing them from working once they are in the office (or wherever) by denying them access to the system and then not paying them because they're not working is likely to be a legal minefield. Threatening them with meetings about security awareness if they don't play ball by the deadline will be like scolding teenagers - it will go in one ear and out the other, bypassing the brain completely.

    It's not just taking the course that matters; applying its lessons is the whole point of the exercise, and if employees aren't willing to learn and do then sanctions must be applied. If the executives (whatever they are) are leading the charge in non-compliance then they have to be dealt with first.
    The Horrible Example approach might work well here - no course, no job, no exceptions. Another sanction, which would be ongoing, would be to make individual employees personally responsible for matters arising from their carelessness in allowing threats to compromise or damage any aspect of the company's activities, with such offences automatically invoking the appropriate level of clearly defined disciplinary action; this would ensure that the lessons from the security awareness course would be continually applied as part of the warp and weft of the working day.
    Having said that, all stick and no carrot management is counterproductive, so perks and rewards could be made available to those who do embrace the concept and practice of proactive defence against internet and email threats. If the organisation is large enough then there could be interdepartmental competitions and league tables in which the best-performing groups might be given time off, or cinema tickets, or pizzas, or whatever works best for the company and employees concerned. Even in a small outfit a little imagination can devise effective incentives for rewarding those who are alert and proactive in protecting the company.

    Change is often accompanied by conflict, and some of the problems you face appear to be due to a tacit policy of conflict avoidance, even when the latter isn't helpful. The language you use when outlining what you want the templates to cover shows this: "encourage", "indicating", "scheduling a meeting" are all indefinite terms that allow plenty of wriggle room for the unwilling.

    It sounds as though you have to sell this security awareness thing to the senior management first and get them on board because until you have their full support in getting these measures in place and working, no amount of gracious prose and veiled pleading (for that is what it will be) is going to change the current mindset; if that high-level management support isn't forthcoming and sustained, you will be on your own... If it does materialise then your language should still be polite, but firm and decisive as well.

    If senior management at your company act like politicians, promising you everything you need and delivering little or none of it, then if you can't change minds perhaps you would do better to change organisation.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Suggested Solutions

    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now