Advances in information security software will never overcome the human element. Employees are often the last line of defense against a security breach and, in most cases, the weakest.

Creating a culture of security awareness is the best way to protect your organization from outside threats and internal data leaks, and it may be easier than you think. It involves simple principles that, when applied, can dramatically increase the effectiveness of your security awareness efforts.


Collaboration is at the core of every effective program. If you do not collaborate with other departments, your efforts will be scattered and ineffective.

Start with a top-down approach. Having the support of executives and leaders within the company can make it easier to work with other departments. Top-level executives are held accountable for any security breaches; it is in their best interest to promote security awareness.

Human resources, IT, and security should work together to identify each group’s concerns and combine them to create a list of objectives. What are our weaknesses? What are our strengths? What opportunities do we have to educate other members of the organization? How can we incentivize other stakeholders within the company?

Goals and Metrics

Collect metrics and set goals to increase the level of security awareness within your organization. You can conduct a white-hat phishing test or security awareness quiz to determine a baseline metric. Conduct training and retest to chart improvement. Sending an internal newsletter charting the improvements can help boost morale and increase awareness for your efforts.

Frequent Reminders

Frequent reminders will help employees realize that their contribution towards a secure workplace is a constant effort. Security awareness posters are an effective way to keep security awareness on everyone’s mind. You can change the posters each month to keep things fresh. You may also want to consider conducting your security awareness training on a monthly or quarterly basis instead of an annual basis. Splitting the training up into segments will also allow you to collect data from quizzes on a more frequent basis. Complacency is the biggest hurdle to overcome; be proactive and creative.


Don’t limit yourself to the typical methods of training. Think of fun ways to engage your workforce: create a game or conduct a contest. Give out prizes to the winners and let everyone know that their efforts will not go unnoticed.

Make It About Them

Securing company information systems is great, but how does it relate to an individual? Show employees that the knowledge and practices they are being taught apply to their personal lives too. Show them how to keep their personal bank account information, login credentials, and home WiFi safe. Help them make security a part of their everyday lives.


Threats to information security are constantly evolving. In order to stay ahead, you must implement practices that contribute to building a security culture. Meeting regulatory requirements is just a start and should be considered the bare minimum. Building a foundation for security culture in the workplace will not happen overnight, but is well worth the effort required.