Appropriate use policy must be understood by users:
Relevance: meaningful at a personal level
Roles: different responsibilities, duties, levels of security awareness, authorizations:
info owner: determine value and security level
info custodian: maintain integrity & confidentiality of info in their control
info user: consumer of info. proper handling
Responsibilities general ones that apply to everyone, specific ones dependent on role
Cost effective: security as a process that continuously reduces losses by preventing incidents rather than a cost whose services are not used until after there is an incident.
what message, how to say it, how to get it to everyone
Delivery method: web site, login message, web-casting (pushing web content to desktop), newsletter, posters, trinkets
Timeliness: current events. International Computer Security Day (last business day in November).
Cost is biggest concern of awareness program; can be minimized by
integrating with existing training, newsletters etc.
general awareness to broad audience
focused awareness to specific groups, individuals
Change security from enforcement organization by awarding & rewarding.
Lack of awareness: users bypass security features to make life
legal recourse needs prior notification