One of the biggest challenges I feel organizations face in their awareness program is lack of structure.  Even if they have taken time to identify the security awareness topics with greatest impact, they often communicate that content in a haphazard manner.  To be effective you need a communications plan.  To help you structure your communications plan I like to break it down into two general areas, Primary training and Reinforcement training.
  • Primary training is the core of your program, this is when you communicate content to an end user for the first time.  For example, new hires at your organization or a contractor recently brought on to a project.  Primary training brings everyone up to speed and sets expectations.  This is also the minimum requirement for many compliance standards such as HIPAA or ISO 27001.  Common examples of primary training would be computer based training or onsite workshops.
  • Reinforcement training is where you repeat your topics, this is key to having an impact.  You cannot teach people once then expect to change behavior, you have to repeat your message.  Reinforcment does not teach anything new, it just reminds people in what you have taught them in the past.  Common examples of reinforcement training include newsletters, posters, screensavers, or phishing assessments.
In follow-on posts I will go into more detail on how you can use each of these for maximum effect.