We believe that the primary objective of a security awareness program should be to educate users on their responsibility to help protect the confidentiality, availability and integrity of their organization’s information and information assets.
Information security is everyone’s responsibility, not just the IT security department. It is critical that users understand not only how to protect the organization’s information, but why it is important to protect that information.
“People are often the weakest link in a security chain, because they are not trained or generally aware of what security is all about. Employees must understand how their actions can greatly impact the overall security position of an organization”
An awareness program should reinforce security policy and other information security practices that are supported by the organization.
“Security awareness helps minimize the cost of security incidents, helps accelerate the development of new application systems, and helps assure the consistent implementation of controls across an organization’s information systems”.
The goal of awareness should be to raise the collective awareness of the importance of security and security controls. Awareness messages should be simple, clear and presented in a format that is easily understood by the audience. The goal of training should be to facilitate a more in-depth level of user understanding.