This post is the first in a series of what I consider the top ten topics for any security awareness program.  This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start.. To kick off any awareness program, I always recommend that a program start with the topic YOU ARE THE TARGET.   The purpose of this topic (or module) is to explain to end users that they are the target. Far too often people have the misconception that they are not a target, that their information or their computers has no value to attackers.  Of course we know this to be false. Anyone with an identify, computer or private information is a target, cyber criminals have made an entire industry of hacking the end user.  This module explains this to people, specifically who is targeting them and why.   There are several lesson objectives here.
  • The first is to make sure that end users know and understand they are being actively targeted, that they have value to others.   One of my favorite ways to communicate this is screen shots of cyber criminal websites dealing in stolen personal information.
  • The second is to teach end users that these risks exist regardless if they are at work or at home.
  • The third is that almost everything they will learn in this awareness program will not only apply to work but for their home and family.
The end goal is to have employees that want to learn.  Once they understand they are a target, and what they will learn will protect them and their family, they are motivated.  They understand the key question 'what is in it for me?'.  Another key point I like to raise is while we want to teach them they are a target, do not scare them off from technology.  Just like driving a car, we want them to understand the risks involved so they can safely leverage the latest technologies, not be scared from it.