There are three things that will require your focus when establishing security and privacy arrangements within your institution: technology, awareness and organisation. In this blog series, we will take a closer look at awareness: what does awareness involve, what do we need to know about human behaviour, and how should you establish a robust awareness programme? This second blog in a series of eight is about why you need an awareness programme.
In this first phase, you will establish the reason for needing an awareness programme. You will identify risks and take stock of existing activities in the area of cybersecurity and awareness. Where are the stumbling blocks? Or is everything just fine as it is? And what people will be needed to make a success of the awareness programme? We define 5 steps:
- Reason: you are not embarking on a security awareness programme for nothing. Perhaps there has been an incident. Or maybe the laws and regulations relating to privacy and security have changed (for example, the introduction of the GDPR). Studying the reason will reveal the exact nature of the need for an awareness programme. It is important here to map out the threats that your organisation is currently facing as a result of the lack of awareness.
- Current status: map out the current security and privacy awareness situation. For example, interview employees and students to measure awareness and investigate what behaviour they exhibit. Take stock of any incidents that have occurred as well as which activities are already being undertaken to tackle privacy and security awareness.
- Lessons learned: check what has been done previously within your institution in relation to privacy and security awareness. Were these activities successful? And what can you learn from them? By mapping out these insights, you will avoid the textbook pitfalls when carrying out awareness actions and you will also put past successes to good use.
- Who do you need? Identify the people you will need to make the awareness programme a success. For instance, members of the management team or the board of your institution, but perhaps also colleagues from other departments (e.g. communication). Engage process owners, system owners or department heads when embarking on an awareness programme. The management team and board have an important role to play in setting the tone. By exemplifying safe behaviour, they will be confirming that security risks are serious matters and that safe behaviour is seen as the norm. If the board and management team do not adhere to the agreed arrangements and procedures, this will lead to similar behaviour among other users.
- Mandate: management engagement and support is indispensable when implementing an awareness-raising programme and creating a security awareness mindset. It will help you to write a plan and pitch the need for the awareness programme to them.The information you collect during the previous 4 points will help you with this. Include in your plan important information about the current privacy and security situation of the organisation, such as a summary of recent incidents, a risk stocktake, a cost-benefit analysis and the necessity of the awareness programme (including consequences of inaction).
Once you know why you want to set up an awareness programme and have been given a mandate to develop this further, you can continue to the next step: identifying the target groups. We’ll cover this in more detail in the next blog. If you don’t want to wait, you can also follow the roadmap on your own (login required).
Other blogs in this series:
- #1: The utility and necessity of awareness
- #3: Who are your target groups?
- #4: What is the overall aim and desired behaviour?
- #5: Factors affecting behaviour
- #6: What actions and interventions should you use to encourage the desired behaviour?
- #7: Is your programme having the desired effect?
- #8: Implementing the programme
About the authors
This series of blog posts has been created by the GÉANT Cyber Security Month team, in close collaboration with SURF.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on dev.connect.geant.org/csm2022