As part of our series of posts on getting your Security Awareness Programme up and running we thought it was time to cover how to create a security awareness strategy.

If you’ve not read the previous posts in this series its worth going back; and

Why create a security awareness strategy?

You’re avoiding crushing your security awareness activities into the dirt by not attempting to give training to all staff face-to-face. It is common at this stage to start looking for a vendor to fulfil your needs.

We’d caution you at this stage to take stock and create a Security Awareness Strategy.

There are a number of good reasons for this including:

  • It forms a document against which all of your efforts can be measured
  • Your stakeholders can explicitly buy into the strategy
  • It includes specific success criteria which aligns with reality, i.e. culture change won’t happen in a week!

In some organisations, you’d need to create a business case before you could proceed. Some of the elements we’re about to discuss could form requirements of a business case but we still recommend creating a Security Awareness Strategy. Your stakeholders are likely to be a broader group than you’d need to get a business case signed off and the business case process may not include some key elements of a good strategy document.

Security awareness strategy key components

Let’s be clear, the ultimate goal is culture change to align security and the organisation in terms of behaviours in a positive way. But if you are at an early level of maturity with regards security awareness you may never have communicated effectively as a security function before.

So, it would be difficult to know what cultural moves to make. Culture measurement should be part of your Security Awareness Strategy.

The key components of a Security Awareness Strategy are:

  • Definition of current state
  • Characterise your stakeholder groups
  • Create measureable objectives
  • Identify resources
  • Reference known successes in industry
  • Decide on high level approach
  • Build your plan

If you are just getting started with security awareness you’re less likely to have known issues to include in the Define current state stage so you should remember to include risk statements around not knowing to what degree behaviours are elevating risk.

Free stuff!!

At this point we realised that this post, if it’s to add value to readers, could end up pretty big. So, instead we’ve created a free PDF covering each component in more detail. Please download it from

If you enjoyed this post please come back regularly for further updates including upcoming information of security awareness events across Scotland and further afield. @adv_engage