Security Awareness Program Components

For those people interested in creating a Security Awareness program, here is a list of components to consider including in a program. The list was created to help people create a budget, hence the language used, and there is no particular order to this list. Each component should be considered on a case by case basis depending on your corporate culture, business drivers, resources available, etc. Please feel free to contact us with any questions.

Please note that the list is from our working papers, and was created as a courtesy by request from our peers. It is not intended to be a finished work. This is also a living document, and we are happy to hear suggestions on how to enhance this list and learn from your own experiences.

  • Training for the awareness team
  • Trinkets, giveaways, etc.
  • Costs of monetary prizes or awards
  • Printed materials (posters, table tents, stickers, etc)
  • Special events budgets for Computer Security Awareness Month, internal wellness events, etc
    – Special event costs can be substantial

  • Purchased newsletters
  • Computer Based Training (CBT)
  • Required compliance training modules, like HIPAA, PCI
  • Internationalization, such as translation costs, cultural issues, bringing in local staff to train them to champion security awareness
    – NOTE: Translation can sometimes double the cost of the program

  • Tools to measure the effectiveness of security awareness efforts
  • Bringing in guest speakers
  • Subscriptions to newsletter template companies
  • Phishing tools and services
  • Costs for food at lunch and learns
  • Stickers for coffee cups, lunch bags, etc.
  • Banners, or other prominent posting, if your company allows such things
  • Internal costs for using the internal communications team
  • Internal printing costs
  • Travel costs associated with all of the above events, especially if including remote locations
  • Consultants or internal personnel as required to:
    • Assist in program design
    • Supplement the security awareness staff
    • Assist with translation and internationalization efforts
    • Analysis of metrics and program effectiveness
    • Design of custom materials, such as posters, videos and CBT
    • Conducting special events
    • Providing of special skills such as legal and compliance advice
  • Costs associated with creating unique programs for more than one user population. There are few successful one size fits all programs. You may want to consider creating special programs for:
    • Management
    • Each distinct internal population—for example a retailer would have their HQ staff, technology team, retail workers, warehouse staff, credit departments, etc.
    • Legal, compliance, IT, etc.
  • A rainy day fund to be able to respond to the inevitable awareness related issue that goes public.

Again, these are just things to consider. There is no single perfect awareness program. Also, an individual component does not qualify as an awareness program on its own.