Hanlon’s razor is a saying or maybe more a rule of thumb that states: Never attribute to malice that which is adequately explained by stupidity.

Security awareness is a training program aimed at heightening security awareness within the organization. Simply stated, the training aspects of an effective security awareness program should result in:

• An awareness program tailored to the organization’s needs
• Heightened levels of security awareness and an appreciation of information assets
• A reduction in the support effort required by the organization.

Awareness as a security objective

A security awareness program should be an ongoing program as training tends to be forgotten over time. Without the the power of repetition, most people tend to relax towards their responsibilities of following procedures and guidelines unless they are periodically reminded of it. Also, the risk of social engineering is more like to manifest if people are unaware that “targets” are not always technological by nature.

People are our first line of defense – no matter what type of organization we work for.

Creating an awareness program

Overall, the security team should at least try to ascertain the following:

• Gain Leadership Support
• Create a Security Awareness Advisory Board or Security Steering Committee
• Get Specific on Who Your Target Groups Are
• Identify and Prioritize your Human Risks.
• Communicate to and Engage Your Target Groups
• Update and Improve
• Measure (do some cool campaigns ;))