to help protect the organization, rather than possibly be the
            person that makes a mistake leading to a serious breach.

            The policy is nothing but good words if they are not backed up
            by action. Policy needs to be implemented through procedures
            and standards, and the contents of the policy must be
            communicated to all staff. The policy is of little value if no one
            knows it exists. Therefore, the main objective of security
            awareness training is to ensure that everyone is aware of the
            policy and knows what their responsibilities are. Security is the
            business and a requirement for all staff, and all staff must work
            together to enforce, monitor, and promote the policies of the
            organization.


            Delivering an Awareness Program

            Awareness programs have a well-deserved reputation for being
            boring lectures about choosing stronger passwords (defined by
            Bruce Schneier as a password that impossible to remember but
            should not be written down) and trying to sell a security through
            fear, intimidation, and uncertainty. This approach creates an "us
            versus them" mentality. It encourages the thought that security is
            working against the rest of the workforce instead of working
            with them for the betterment of the organization.
            Awareness training should be multi-faceted - interesting,
            innovative, varied, and challenging. The message should be
            tailored to the audience at the level understood, applies to the
            audience, and addresses the actions that specifically apply to
            those in attendance. Using different media - such as posters,
            handouts, brief messages, login screens, humor, real-world
            examples, and rewards in the awareness program can appeal to
            the audience and pique their interest.