ABSTRACT
The typical perspective of security awareness is that it is a tool to promote policy and compliance. We would like to propose that you look at security awareness as a key component of creating and showing value (refer to chapters 1 and 8). Value is a perception that must be honed by an effective security awareness program that accomplishes the following objectives:
Promotes the message that security enables the business to function effectively
Cultivates positive recognition for the information security program
Perpetuates security principles across the enterprise, thereby increasing user acceptance and enhancing security posture
Trains nonsecurity personnel to be ambassadors for security, thereby increasing security coverage without adding head count
Security is often viewed as a necessary annoyance due to its restrictive nature. An effective awareness program counters the negative perception and promotes the message that security facilitates instead of impedes business functions. Awareness brings to light the negative impact of security incidents, the high cost of reverse engineering security postproduction, and the long-term benefits of building resiliency and information protection in critical business systems.
