Security awareness is not easy especially when you start from the ground up. First you need to evaluate the culture of your security organization. Next, come up with a plan that addresses any issues or holes that you found. Then comes the creation/revamping of awareness/training content. Finally, set up the appropriate metrics to evaluate and monitor program progress over time. While this may seem simple, it does require a good amount of time and money but that should not stop you. There are three main things anyone can do to improve their security awareness program. All require minimal time, minimal money and can be done in house.

Step 1: Get Your Top Three

Even though you can’t fully evaluate the culture of your organization there is one very important part from which your program can highly benefit. Find out what the top three problem behaviors are in your organization. Basically, ask yourself what three user behaviors would drastically improve security? Next, go out and ask as many peers and higher level executives that you can­ the same question–the more people and the more diverse the better. Compile your answers and get your top behaviors from the results. It’s a simple question that could be sent in an email or asked at a meeting and it enables you to focus what little time and budget you do have on the important issues.

Step 2: Measure Measure Measure

Once you have identified where you need to focus it’s time to put metrics in place to measure changes in the behaviors (a.k.a., evaluate program effectiveness). In many cases your organization is already collecting some metrics that you could utilize. Lets say your number one problem was phishing attacks, including not reporting them to the help desk. There are several phishing services out there that will send attacks to your users and write up a very detailed result of the findings with many measurements, but that assumes you have the money to purchase those services. So how do you do this in house? In many cases the technology team has the data on successful and/or unsuccessful phishing attacks. Furthermore, the help desk keeps track of what types of issues are reported giving you your other metric. Using these metrics you will be able to see user behavior (1) before and after annual training, (2) during upswings in behavior, (3) during downswings, and (4) after successful awareness events/content is administered. This not only helps you maximize the effect of your efforts but also looks really good when trying to get more budget down the road. Remember, when setting up metrics think of what is already being measured within the organization especially across departments and use it to your advantage.

Step 3: Hit Close To Home

Once you know your problem behaviors and are measuring them it’s time to drive the message home. Ideally this would mean recreating all the awareness content and developing a supplemental content plan. Since we are operating on the assumption of less time and money we’ll go smaller. Send small, easy to make content that motivates your users to read it. Are a lot of your users parents or grandparents? Send a quick one page PDF on how to protect kids on social media. Or a check list on ‘identifying phishing emails at home.’ How to secure your home WiFi. These types of supplemental materials are easy to distribute, cost little time and little money, but can have a large impact (and you will be able to see this in your metrics).

There you have it. Three steps to help you improve the security of your users with limited time and limited budget.

For more from Kati find her on Twitter.

Katrina Rodzon

Security Program Manager at Bugcrowd, Inc
With an extensive background in behavioral science and influence, Katrina Rodzon applies this unique perspective to the conception and design of effective content, messaging, user experience research and analytics. Kati manages the methodology creation for assessing an organizations culture, and assists in creating effective social engineering tools and testing scenarios for penetration testing teams.