Security Awareness – how much should we spend?

Yesterday I was presenting to the Information Security Council of a large international company on the subject of information security awareness. It’s currently a hot topic as more and more organisations wake up to the fact that people are a major cause of breaches, yet not enough has been invested in this area, and much of it has been ineffective.

There are many reasons why security awareness initiatives fail to hit the spot. Often the material is dull, people have difficulty relating to it, it’s poorly designed and presented, and the consequences of following (or not) the advice are not sufficiently personal, immediate or certain. Security managers and in-house communications staff are not the best designers of educational material. I’ve always found it pays to get external professional assistance.

One question put to me was: “What percentage of security budget should be spent on security awareness?” A good question, which deserves more than the obvious answer of “a lot more”. My immediate response was that it depends where you are in terms of process maturity and other factors that might shape your priorities, but in my view it should be 10-20% of security budget, i.e. at least 10% and no more than 20%. This might sound a lot to many organisations but it reflects the importance of the subject, the need to do it properly and the substantial return on investment from reducing the numerous incidents caused by ignorance and bad practices.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I have found on numerous occasions the idea of security awareness is appealing but the actual application is often "too hard". Getting a lawyer who can charge £500 pounds an hour to work out a more complex 8 character string is just not value for money in their eyes. A simple guide to how a password can be constructed has helped me convert users on a number of occations. example i use is the initials of the first person you kissed or had a crush on. Digits from your first telephone number you were forced to memorise as a child. Getting the user to think up a series of complex passwords that would only make sence to them is not difficult it is just a bitter pill that needs the right flavour of sweetener.