Checklist: Is Your Security Awareness Programme on Track?¶
Use this checklist to design, evaluate, or improve a security awareness programme. Tick items off as you go.
1. Understand the problem scope¶
Not every security problem needs an awareness programme. Have you identified which issues are truly behaviour-related?
Avoid spending excessive time researching before acting. Start with common issues.
2. Apply the 80/20 rule¶
Keep 80% of your training content generic (e.g., passwords, viruses, physical security).
Tailor only 20% to your organisation’s specific context, risks, and culture.
3. Cover the essential awareness topics¶
Passwords
Remind users not to share user IDs or passwords.
Require strong passwords.
Discourage writing passwords down.
Viruses and malware
Warn users about viruses, especially in email attachments.
Ensure antivirus software is installed and updated.
Physical security
Keep premises secure.
Enforce clear desk and clear screen policies.
Ensure proper care of laptops and mobile devices.
Email and internet use
Prohibit sending sensitive information over the internet without suitable precautions.
Confirm internet use complies with corporate policies.
Incident response
Train users to recognise security incidents.
Make sure everyone knows how to report security breaches.
Information handling
Classify information correctly.
Collect printouts and faxes promptly.
4. Address common problems your programme can solve¶
Culture change – Plan for long-term cultural shifts where security is not yet valued.
Departmental variations – Adapt messaging for different teams, locations, and countries.
Distributed security management – Coordinate awareness across decentralised teams.
Legal and regulatory issues – Include privacy and legal responsibilities; adjust for national laws.
Policy disregard – Address users ignoring policy and management making unsafe exceptions.
New starter awareness – Ensure new staff understand policies, culture, and their security role.
Poor systems security – Promote secure development practices (e.g., SAMM).
Technical issues (e.g., viruses) – Teach users not to bypass controls or open suspicious files.
Justifying security – Treat information as an asset to help secure budgets and support.
Management resistance – Engage middle and senior management on their own responsibilities.
5. Define clear objectives using driving forces¶
Reduce costs
Show how poor security costs more time and money long‑term.
Demonstrate current costs, issues, and alternatives.
Present feasible cost savings.
Achieve compliance
Ask Internal Audit to notify departments well in advance.
Threaten disciplinary action for policy breaches (if appropriate).
Link staff bonuses to policy compliance.
Demonstrate consequences of email and internet abuse.
Include policies in induction training.
Publish audit results (e.g., “name and shame” league table).
Reduce security incidents
Configure systems to make antivirus mandatory.
Record time spent fixing virus problems and user downtime.
Run “virus‑free” awards with organisation‑wide publicity.
Implement effective content management systems.
Show cost savings from reduced incident handling time.
Protect reputation
Demonstrate threats to reputation.
Collect incident data from other organisations in your sector.
Build management support
Prove vulnerabilities are real.
Run a pilot awareness programme for management first.
Use risk analysis tools with management (gather data and raise awareness).
Identify key management stakeholders for security.
Obtain delegated CEO mandate for security activities.
Quantify incident costs and assign them to business owners.
Deliver annual risk statements with clear ownership.
6. Use additional resources¶
Review the UK Government Security Group’s Secure by Design guidance.
Apply the RACI matrix to assign responsibilities.
Use the asset evaluation sheet for threat modelling.
Select mitigations from the controls taxonomy.
Track progress with the self‑assessment tracker.
When using Python application: Train architects, developers and other relevant stakeholders with the use of the (free)Mastering Security Testing for Python Guide