A “generic” security awareness program sounds about as dull as it usually winds up being. To really reach a specific audience, to really get the behavioral changes needed to improve security in the organization, specific target audience segments
must be identified, fine-tuned, and periodically adjusted as conditions and priorities change. Although there are no school solutions or etched-in-stone rules for deter- mining who the target audiences are, here are some suggestions and guidelines.
Information Technology Providers—those who envision, develop, test, install,
repair, patch, maintain, tweak, implement, remove, replace, explain, document, and answer questions and complaints regarding IT systems are definitely targets for the awareness program. And don’t forget the people who audit and secure the systems. Different subsets of the IT provider universe will need different security elements emphasized, and the manner of delivery might be different. Techies usu- ally need all the gory details, sometimes down to the code instruction level or how this query is parsed by this subset of that system. A quick overview won’t do it for them. But if you start covering buffer overflow mechanisms and defenses with the IT help desk operators, you’ll be able to watch a glaze form over their eyes, even if they’re nodding their heads in seeming comprehension. These guys and gals want to know how to respond to user questions and what triggers indicate that the reported problem is, indeed, security related and should be referred to level 1, 2, or 3 in Department X or Y for resolution.
IT Customers/Users—this category includes almost everyone in the organiza-
tion. These days, even the janitors are wired (more likely wirelessly connected) in. Anyone who interacts with information or information systems will need some grounding in appropriate information security concepts and procedures. If there’s an “all” category, this is it. Here’s where you might very well have security aware- ness and training elements that are applicable to everyone. Even so, the method of delivery might not be the same for “all.”
Information/Data Owners—a crucial target audience; but sometimes it’s hard to
pin down who the “owner” of a specific piece of information is. This is especially complicated in the world of Storage Area Networks (SANs) and Network Attached Storages (NAS) and public or private or hybrid cloud structures, even though information ownership should have been clearly resolved before any migration to SAN or cloud or whatever. Once you do identify the owners, you must make them understand their significant security responsibilities. They generally decide who gets what kind of access to which sensitive information. To do this effectively, they need both a business and a security perspective. They’ll probably be well-versed in the business vagaries, so we need to make sure we emphasize security and relate it to the business reality they already understand.
All Managers—the group of “all managers” will, no doubt, include some of the
owners referenced above, but also those people up the chain who don’t have a lot of contact with day-to-day operational information and procedures. However, the status of manager usually involves access to sensitive, sometimes highly sensitive material, and security mistakes by managers can be a lot more damaging than those by us working stiffs. Examples are all over the newspapers and nightly news. Managers also may get desensitized to the importance of specific information if they have it in front of them and talk with their peers about it for hours on end and
for days, even months at a time. They’ll normally recognize the need for reinforce- ment of “handling sensitive information” components of your awareness program, but the training must not be patronizing. These people didn’t get where they are by being careless and unintelligent.
There are about as many ways to partition security awareness program audi- ences as there are organizations with a program, but here are a few more possibili- ties, outlined with possible subcategories into which you can assign specific people or groups
By computer knowledge
◾ Alpha-geek wizard—knows all, sees all
◾ Web-head, crypto-nerd, Mr. Forensics, etc.—deep knowledge in one or a few areas
◾ Competent technician
◾ Application guru—might not be a techie, but can make one application dance
◾ Fully functional user ◾ Infrequent user ◾ Neophyte
◾ “What’s an applet?”
◾ Former technical manager—Caution! Can be very dangerous. Technical knowledge ages very quickly and not well. The tendency here is to overes- timate technical prowess and demand higher access level than is needed for manager role.
◾ Multiple clouds implemented at home ◾ “Wireless device of the month” club
◾ Had RFID and GPS implanted in the dog… and on the kids By organizational function ◾ Personnel administration ◾ Finance/accounting ◾ Production/manufacturing ◾ Marketing/sales ◾ Research/engineering ◾ Customer service ◾ Order fulfillment
Because this is a fairly common partitioning scheme, here’s an example of how one organization—a bank—divided its awareness audience by organizational function:
◾ Demand deposits ◾ Commercial loans ◾ Trust
◾ Mortgage loans ◾ Investment banking ◾ Investor relations ◾ Tellers
◾ Audit
When partitioning by organizational function, some degree of additional slic- ing will almost always be required. Here, for example, is how one company breaks out their information technology function:
◾ Programmer ◾ Analyst ◾ Telecomm specialist ◾ Network technician ◾ LAN administrator ◾ IT security officer ◾ Manager
◾ Webmaster/web content developer ◾ Cloud implementer
In conjunction with or instead of organizational function, you can partition by organizational level, such as
◾ Senior executive ◾ Middle manager ◾ First-line supervisor ◾ Technician ◾ Business specialist ◾ Administrative assistant ◾ Clerical employee ◾ “The Masses”
The type/model of computer used can also be useful, but that changes so fre- quently that any example would be out of date before publication.
Employment status can be an effective delimiter, especially in an environ- ment bound by multiple contractual and legal obligations regarding full-timers versus part-timers versus contractors, etc. Here’s how one organization does that partitioning:
◾ Employee ◾ Contractor ◾ Temp
◾ Co-op student ◾ Consultant
◾ Outsourcing firm employee
◾ Competitor employee on joint project ◾ Service/product provider
◾ Customer
Once the partitions are delineated, the next step is to determine approximately how many people are in each category. There might be 12 or 14 senior managers and hundreds, even thousands, in the general user category. To tailor the message and delivery style for optimal effectiveness, the size of audience “chunks” has to be factored in. Audience availability and scheduling, especially for the higher-ups, can be closely related to the size of an awareness audience partition.