INTRODUCTION

The Security Awareness Cycle is a process methodology based on my own award-winning graduate project work titled “Creating a Security Culture: A Guideline to Security Awareness”. It offers a complete continuous cycle for implementing and maintaining a Security Awareness program that includes means for continuous improvement and for measuring the success of the program with the long term goal of creating a security culture.

The concepts behind the Security Awareness Cycle was to create a step-by-step process that takes you through the entire journey from the first steps of creating and collecting baseline Security Awareness metrics to delivering the message to your target audience and that, when repeated, provides the means for properly identifying areas in your program that needs additional focus or improvement.

If you are new to The Security Awareness Cycle a good place to start is to read the article on Creating a Security Culture which outlines the key benefits of a security awareness program, factors that contribute to the problem, impacts of poor implementation, and how to solve the problem. I also recommend reading the article on Building the Foundation for your Security Culture which outlines the building blocks necessary to identify your organizations intended security culture.

The Security Awareness Cycle addresses the challenges posed by the 8th layer of security—our employees—from both an Information Technology management and an educational psychology perspective.

From the IT management side, the focus is on securing the organization while maintaining or improving operational efficiency. From the educational psychology angle, the goal is to change high-risk behaviors and reinforce desired behaviors to mitigate risks to the organization. Understanding that people have different cognitive skills, learning styles, mental models, and priorities is crucial for delivering a clear, impactful message and achieving behavior change. By approaching the problem from both perspectives, we can create a more effective Security Awareness program that fosters a security-conscious culture and ensures business continuity.

The Security Awareness Cycle helps bridge the knowledge gap, lowers the barrier to entry for deploying a Security Awareness Program, and ensures greater success. Bridging the knowledge gap is essential for Information Security professionals who aren’t educators. Lowering the barrier to entry encourages organizations that have yet to implement a Security Awareness program. Ultimately, this holistic approach ensures more successful implementation and adoption.

Tom Andreas Mannerud, MSc., CISM®, Associate C|CISO™

Information- and Cybersecurity Professional

THE SECURITY AWARENESS CYCLE

THE SECURITY AWARENESS CYCLE

1. Metrics

The initial step in the Security Awareness Cycle involves collecting metrics to establish a baseline. This baseline serves as a benchmark to evaluate the effectiveness of your Security Awareness Program in subsequent cycles. By doing so, you can accurately measure the program’s success and pinpoint areas needing improvement.

Step 2: Identifying and Understanding your Audience

The second step in the Security Awareness Cycle is all about identifying and understanding your audience. This involves recognizing the different groups within your organization and outlining their unique security awareness needs.

Each group, and sometimes individuals within those groups, has distinct needs. For example, executive leadership or senior management, who are responsible for accepting residual risks on behalf of the organization, have different security awareness needs compared to departments like Accounting or Human Resources. The Human Resources department, which deals with health insurance and other Personally Identifiable Information (PII), will have different requirements than the Information Technology department.

Once you understand who your audience is and what their specific needs are, it’s important to also understand how they learn best. Drawing from Educational Psychology, we know that people have different cognitive skills, learning styles, and mental models. Some people prefer spatial learning with images and visual aids, others prefer aural learning through spoken information, and some prefer logical learning with reasoning and logic.

By understanding these differences, you can develop security awareness materials that cater to all learning styles, ensuring that each group within your organization receives the information they need in the way that suits them best.

Step 3: Identifying High-Risk and Desired Behaviors

The third step in the Security Awareness Cycle focuses on identifying behaviors. Security Awareness aims to change high-risk behaviors and reinforce desired behaviors to reduce and mitigate security risks to the organization.

Step 4: Identifying Solutions to Facilitate Behavioral Change

The fourth step in the Security Awareness Cycle is to identify solutions to mitigate risks or facilitate behavioral changes. This step involves deciding how to address the risks identified in the previous steps. Solutions typically take the form of policies, procedures, or guidelines. In some cases, they may be supplemented by hardware implementations or software deployments.

Step 5: Creating Security Awareness Material

The fifth step in the Security Awareness Cycle is to create the Security Awareness material, which could take form as email templates, newsletters, posters, screensavers, PowerPoint presentations, and others. The chief purpose of this material is to support the delivery of Security Awareness and training. This is also where the topic is chosen. What topics will the material support? Traditional examples include Viruses and Malware, Phishing Attacks, and Social Engineering attacks; but equally important, topics are chosen based on the analyses conducted as part of the previous phases of the Security Awareness cycle. Phase 1 “Metrics” will determine areas that need attention and improvement. Phase 2 “Understanding your Audience” will determine training needs that are unique to the various groups within the organization. Phase 3 “Identifying Behaviors” will determine topics based on employees high-risk behaviors we want to reduce, or mitigate, and it will identify desired behaviors we want to reinforce. The topics identified in these initial phases are often unique to each organizations depending on their size, industry, and structure.

Step 6: Delivering the Message

The sixth and final step in the Security Awareness Cycle is to deliver the message. In this phase Security Awareness material is delivered to the audience, i.e. your employees. The delivery can take place via many different mediums such as via email, newsletters, computer based training (CBT), presentations, group sessions, and so forth. It is important that mediums are chosen across all spectrums in order to accommodate the various learning styles and it is important to choose mediums that are not already saturated.

License Information

The Security Awareness Cycle” framework is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). This means you are free to use, share, and adapt the framework as long as appropriate credit is given and any derivatives are shared under the same license. Feel free to modify it to suit your needs, and don’t forget to acknowledge the original source.

Citing the Security Awareness Cycle: A Growing Legacy

It is an honor to have contributed to the growing body of knowledge and best practices in cybersecurity. Explore the list of books, articles, and research papers that have referenced “The Security Awareness Cycle” and our site, showcasing the impact and recognition within the cybersecurity community.

Thank you to everyone who has embraced, implemented, and even considered these concepts. Your commitment to enhancing security awareness and practices continues to drive our collective success.