Most UK companies do not understand the business value of security awareness among their staff, according to consultancy PricewaterhouseCoopers (PwC).
Although security awareness is a fundamental part of information security, there are few success stories and most companies struggle to ensure their staff are educated in good IT security practices, PwC has found.
"The biggest misconception is that security awareness training can be done once at staff induction with a computer-based training programme," said William Beer, information security director at PwC.
However, security awareness should be ongoing and be made up of multiple elements including, but not limited to, computer-based training programmes, he said.
The most common problem is that there often no clear budget for security awareness training, nor anyone responsible for driving it forward, said Beer. Security awareness needs executive buy-in to allocate the necessary budget and needs to be owned by a department or individual to keep it going, he added.
"Being a people issue mainly about communication, this may not necessarily be the IT department or someone within it, but rather cross-functional, involving the HR department or similar," said Beer.
Buy-in from executives is often missing because boards typically fail to understand the business value of security awareness, PwC has found.
"Only when the board understands the business benefits of having every member of staff on the information security team, will it see the business case for security awareness training," said Beer. "This often means the number of incidents will increase initially, but this means the programme is working to improve the overall information security of the organisation," he said.
Beer is to speak in depth on security awareness at the inaugural Human Factors in Information Security Conference in London, from 22-24 February.
"The aim is to shake things up a bit and challenge thinking around security awareness," he said.
The most successful security awareness programmes tend to be built on a proper understanding of the organisation's internal culture.
"Security awareness programmes in utility companies, for example, should build on the safety-conscious cultures commonly found in such organisations," said Beer.
Another key element of successful security awareness programmes is a set of key performance indicators, PwC has found. "Although challenging to define, metrics are important to measure effectiveness and progress," said Beer.
The best place to start in building business cases for security awareness is to look at publications on the subject by the European Network and information Security Agency and the UK Financial Services Authority, he said.