Yesterday I was presenting to the Information Security Council of a large international company on the subject of information security awareness. It’s currently a hot topic as more and more organisations wake up to the fact that people are a major cause of breaches, yet not enough has been invested in this area, and much of it has been ineffective.
There are many reasons why security awareness initiatives fail to hit the spot. Often the material is dull, people have difficulty relating to it, it’s poorly designed and presented, and the consequences of following (or not) the advice are not sufficiently personal, immediate or certain. Security managers and in-house communications staff are not the best designers of educational material. I’ve always found it pays to get external professional assistance.
One question put to me was: “What percentage of security budget should be spent on security awareness?” A good question, which deserves more than the obvious answer of “a lot more”. My immediate response was that it depends where you are in terms of process maturity and other factors that might shape your priorities, but in my view it should be 10-20% of security budget, i.e. at least 10% and no more than 20%. This might sound a lot to many organisations but it reflects the importance of the subject, the need to do it properly and the substantial return on investment from reducing the numerous incidents caused by ignorance and bad practices.