ABSTRACT
The objectives of the security awareness program and the means for achieving those objectives need to be clearly understood. The objectives need to include that:
• Employees recognize their responsibility for protecting the enterprise’s information assets
• Employees understand the value of information security • Employees recognize potential violations and know who to contact • The level of security awareness among existing employees remains high
Employees Recognize Their Responsibility for Protecting the Enterprise’s Information Assets
Too often, it is assumed that employees understand the consequences of lost, stolen, or destroyed information. This is not the case. Employees tend to focus on what their particular responsibilities are within the enterprise. Most employees, if asked what are the strategic business objectives of the enterprise, would reply, “to make money.” They do not realize that other objectives may include to produce quality products, to be the industry leader, to have 70 percent of market share, or to penetrate global markets. Employees contribute to those objectives by following the standards and procedures outlined for them to perform their job. Unless someone ties those standards back into an objective such as producing a quality product, employees will not be aware of that connection. The same is true for information security. It may be a corporate objective but until the
tion security, they are only there to do their job. Information security must be presented to them as a function of their job.
