Business case for an Information Security Awareness Program

Awareness business case

by Dr Gary Hinson PhD MBA CISSP


Last updated in July 2016


Download as a PDF Acrobat PDF

Contact us for the editable
MS Word version Word version available



We have published this paper as a straw man - a good starting point if you are planning to establish and cost-justify your own information security awareness program. Naturally, it reflects the continuous rolling style of awareness program supported by NoticeBored but even if you do not intend to become a NoticeBored customer, you will find some useful ideas here to help structure your awareness program and hopefully to persuade your management to invest in it (though admittedly your program will not be so cost-effective without NoticeBored!).

Executive summary

This paper makes the case for investing in a continuous (rolling) security awareness program.  By informing and motivating our people to think and act more securely, the program will create a strong security culture, improve security compliance and cut costs.

The awareness program will address general employees, managers and specialists through three parallel streams of awareness material.  Fresh materials will be circulated every month, continuously promoting and reinforcing information security by covering a succession of important and interesting topics.

Note: an earlier version of this paper contributed to ENISA’s Users’ Guide: How to Raise Information Security Awareness.  The business case has proven effective in numerous organizations. Do please let us know if it works for you, or you have any other suggestions to improve or extend the business case - particularly feedback from your managers.  Do they like the paper?  Does it make good business sense?  Which bit caused the most interest or concern?

Home > Business case >

Copyright © 2020 IsecT Ltd.