ABSTRACT
Security awareness is a compliance requirement that organizations need to meet for information security related standards and regulations such as ISO 27001, CobiT, PCI DSS, GDPR, HIPAA, and many more. The majority of these standards and regulations explicitly require organizations to implement a communication and awareness programme for employees and contractors on how to protect valuable information. It has led to a lucrative market for businesses selling awareness training, posters, educative games, campaigns, and so on. When communication is approached as a compliance or policing exercise, the employees in the organization will continue to see cybersecurity as a necessary evil. Auditors are not the only audience that cybersecurity needs to satisfy. In parallel to cybersecurity, awareness is only the first step in the process to actually change the behaviour.
