Security Awareness - Implementing an Effective Strategy

People are often referred to as the weakest link in an information security program. Through either intentional or accidental misuse of access, people often leave networks and organizations exposed. 'All it takes is just one weak link in the chain for an attacker to gain a foothold into your network' (Nichol p.1). All too often security programs tend to focus on technical controls rather than the human element. 'Your organization can be bristling with firewalls and IDS but if a naive user ushers an attacker in through the back door you have wasted your money' (Power p.18). Although the weakness that people present can never be totally eliminated a well-planned security awareness program can help to reduce the risk to an acceptable level. It is critical that people understand their role in protecting information and information assets. This paper examines the importance of security awareness and how it supports the fundamental goals of an information security program. In addition this paper provides a recommendation for implementing an effective security awareness strategy. This paper also spends considerable time discussing common obstacles to implementing an effective strategy. These obstacles have been derived from a combination of real world experience and research.