Creating an awareness program
How do you develop a well-founded privacy and security awareness program step-by-step? Where do you start and which components should definitely not be missing?
Here you will find information to develop your own program. In seven steps you will cover all the necessary components; once you have gone through the seven steps, you will immediately have a clear plan.
This first phase examines what prompted the awareness program. You identify risks and take stock of what is already happening in the field of cybersecurity and awareness. Where are things going wrong, or just right? And what people are needed for the awareness program to be successful?
In this second phase, you identify your target groups in a structured way. This will help you optimally tailor the awareness program to your target groups. This will ultimately improve the effectiveness of your program and make the results more measurable.
In this phase, you determine what you want to achieve with the awareness program. How will you reduce key privacy and security risks? We start by formulating a generic goal and break it down into subgoals. The more concrete we can make these subgoals, the better we can influence behavior and measure effects.
People are influenced by numerous factors that will result in them ultimately exhibiting or not exhibiting the desired behavior. In this phase, we list the most important behavioral factors for each target behavior. This will help you determine which knobs to turn in order to ultimately achieve the desired behavior.
In this phase, you determine which communication tools you will use to raise awareness within your institution. Which forms of offline and online communication best suit your target audience(s) depends on your target behavior.
Think about what you want to achieve with the available means of communication. By consciously choosing communication tools whose purpose is clear, you can better shape the program.
If you want to know whether a program is having the desired effect, you have to test it. Because without testing, it remains a guess whether the situation is improving or worsening.
By now you have defined the desired behavior you want to achieve. But to know what the desired situation is, you also need to know what the current situation is. So then you want to have an idea of how aware your users currently are (baseline measurement). This can be done through surveys, interviews or using a mystery guest. A combination of different methods is often more effective than using only one.
It's time for the final phase of your awareness program: implementation. Planning can be set up and your communication tools can go into production. Your awareness program can take off.
With interim measurements, assess whether partial activities of the awareness program are leading to the desired results.
For continuity of the baseline measurement, ask the same or similar questions from the baseline measurement in the interim measurements. After all awareness activities have been completed you perform an effect measurement. This answers the question: has security awareness within the institution changed from the situation before the start of this campaign?