Generic/template business case for an
Information Security Awareness Program
Latest update September 2007
Download as a read-only PDF 
Contact us for the editable MS Word version 
Introduction
We have published this paper as a straw man - a good starting point if you are planning to establish and cost
-justify your own information security awareness program. Naturally, it reflects the continuous rolling style of awareness program supported by NoticeBored Classic and an intranet-based policy management system
such as SecureAware but even if you do not intend to become a NoticeBored customer, you will find some useful ideas here to help structure your awareness program and hopefully to persuade your management to
invest in it.
Executive summary
This paper lays out the case for investing in an innovative continuous security awareness program. By informing and motivating people, the program will create a strong security culture, improve security
compliance and cut net costs.
The awareness program will address general employees, executive managers and technologists through an
integrated suite of information security policies, standards, guidelines, awareness and training materials.
Fresh awareness materials will be circulated every month, continuously promoting the information security brand.
The program will be managed by a dedicated security awareness program manager under the leadership of
the Information Security Manager, and delivered with the assistance of other corporate functions as
necessary. The main expenses will be the program manager’s salary. A commercial off-the-shelf intranet
-based ISO/IEC 27001/27001 Information Security Management System will become the focal point of the awareness program, and we will obtain monthly awareness materials from a specialist supplier. The
program can therefore be launched quickly and easily maintained thereafter.
Metrics and methods borrowed from the field of marketing will be used to manage and prove the cost
-effectiveness of the program. We are confident that the business benefits (resulting from increased compliance, improved control, reduced risks and reduced losses through security breaches) will substantially
outweigh the program costs.
Contents (18 pages)
Introduction - background, scope, document approval & history Awareness program overview - aims, overall structure, target audiences Awareness program content - topics, types of material & sources Awareness program methods - intranet, creative comms, branding Program management - governance, manager, plan and metrics Cost benefit analysis - program costs, business benefits, conclusion, refs Appendices: target audiences; potential awareness topics; program plan/GANTT chart; communications methods.
Note: this business case paper contributed to ENISA’s Users’ Guide: How to Raise Information Security Awareness. ENISA’s excellent paper expands considerably on our paper with helpful advice to SMEs on how
to plan and establish security awareness programs - recommended reading.
Derivatives of this business case have proven effective in numerous organizations. Do please let us know if
it works for you, or you have any other suggestions to improve or extend the business case. We are happy to update the paper to incorporate good ideas.
|
