Security and Privacy
Awareness Starter Kit
Security and Privacy Awareness Starter Kit
Awareness = Training + Reinforcement
Promoting organization-wide awareness of the importance of privacy and security protections is no easy task. It takes a wellplanned campaign that is executed over time. But it can be done—with an awareness program that combines training and
reinforcement to achieve the sustainable behavioral change you desire from your awareness initiative.
If you’re reading this document, you’re probably ready to reinforce your required training with additional communications, events,
and activities to be sure that your messages around data protection risks reach deeply into the minds of employees. Many research
studies, as well as practical real-world experiences, have shown that the best way to create a security and/or privacy awareness
culture is to offer an ongoing series of communications—in many different forms (e.g., posters, tent cards, newsletters, animations)
and styles (e.g., fun, humorous, or serious)—that tie directly into the risks and target behaviors you’ve identified.
We’ve created this planning kit to help get you started. This document assumes you have identified potential data protection risks
within your organization (identifying risks is beyond the scope of this document). Once you have identified potential risks, it’s
suggested that you complete a “Risk, Behavior, and Intervention Matrix” and a “Training and Reinforcement Communication Plan”
to give you an awareness roadmap. If we can do more to help you with your training and reinforcement efforts, please don’t
hesitate to contact us at: www.mediapro.com, call 800-726-6951, or email us at [email protected] . We’re here to help!
Top Data Protection Risks:
These are risks you have identified in your security audit, through practical experience, or from industry trends that you want to
address with your training and reinforcement awareness program. Some typical risks may include:
1.
2.
3.
4.
Employees are not consistently following data protection policies, standards, and guidelines.
Employees not identifying private and/or company sensitive information and classifying that information correctly.
Employees not properly identifying phishing emails or social engineering threats.
Employees are not recognizing or reporting security incidents correctly.
Copyright © 2017 MediaPro, Inc.
Page 2
MediaPro_Sample_Awareness_Starter_Kit.docxDocument1
Risk, Behavior, and Intervention Matrix
Each identified risk has associated desired behaviors, training solutions, and reinforcement solutions. Fill out this matrix to help identify the best
solutions for your organization. Your organizational culture and support infrastructure will dictate many of the items that appear on this list.
RISK
1) Employees are not
consistently following
data protection policies,
standards, and
guidelines.
2) Employees not
identifying personally
identifiable or company
sensitive information and
classifying that
information correctly.
DESIRED BEHAVIOR
All employees will:
 Electronically certify that
they have read the policies.
 Validate they understand
the key policy points.
 Correctly identify who to
contact with questions.
 Identify common policy
mistakes and missteps.
 Describe the possible
consequences of inaction.
Result: 50% reduction in policy
violations.
All employees will:
 Be able to identify what
information needs to be
protected.
 Classify information
correctly.
 Apply the correct
protections and procedures
on a consistent basis.
Result: 40% reduction in
misclassification and misuse of
data.
TRAINING SOLUTIONS
Content presented in Lesson
1 of annual online training.
Use knowledge checks and
assessments to validate
understanding.
Motivational content will
explain why this subject is
important (WIIFM), show
common examples of
mistakes, identify contacts
(resources page), and
discuss consequences.
Content presented in Lesson
2 of annual online training.
Use knowledge checks and
assessments to validate
understanding.
Interactions within the
training will allow students
to: a) practice identifying PII
and company sensitive
information; and b) practice
classifying that information
into the correct categories.
Copyright © 2017 MediaPro, Inc.
Page 3
MediaPro_Sample_Awareness_Starter_Kit.docxDocument1
REINFORCEMENT SOLUTIONS
 Make the policy certification (pledge
page) part of the annual training.

Place posters on all breakroom walls.
Rotate every 2 months (6 posters).

Send semi-annual online animations
and/or games to all employees (not
required to view).

Provide reinforcement WIIFM
“talking points” and case studies to
managers to use in departmental
meetings. Managers also discuss
consequences.

Provide job aids to all employees that
handle PII and sensitive company
information.

Host a Security Awareness Day in
October (cyber security month).
Have an interactive “game show”
experience where employees identify
and classify PII to win prizes.

Email a reminder (with links to a
game or animation) to all
departments with employees that
handle PII and/or sensitive data 3
times during the year.
3) Employees not properly
identifying phishing
emails or social
engineering threats.
4) Employees are not
recognizing or reporting
security incidents
correctly.
All employees will:
 Improve their ability to
identify and respond to
phishing scams.
 Be able to identify the top 3
social engineering threats.
Especially senior managers
and executives.
Results: Reduce phishing
response rates by 50% and
reduce social engineering
responses by 75%.
All employees will:
 Be able to identify the most
common security incidents.
 Correctly identify how to
report a security incident or
whom to contact if they
have any questions.
Results: Increase calls to the
help line by 10%.
Content presented in Lesson
3 of annual online training.
Use knowledge checks and
assessments to validate
understanding.

Email all employees a flyer called
“Top 5 ways to identify a phishing
scam.”

Interactions within the
training will allow students
to practice identifying
phishing emails and view
common social engineering
threats.
Use an outside company to apply
social engineering tests to “at risk”
employees and senior management.

Use a simulated phishing test to all
employees 2 times a year and to
senior management 3 times a year.
Failure will take the user to a 45-60
second remedial review of what they
should have identified in each phony
email.

Meet with the senior management
team (at annual retreat) to review
social engineering threats.
Content presented in Lesson
4 of annual online training.
Use knowledge checks and
assessments to validate
understanding.

Place tent cards on all the tables in
the cafeteria warning about mobile
devices left unattended.

Interactions within the
training will allow students
to practice identifying data
security threats and view
ways to prevent any such
threat. The incident
reporting process is also
covered.
Release a screensaver that explains
who to contact in case a privacy
incident occurs.

Host an open “round table” lunch
each quarter where employees can
share their ideas on preventing data
security incidents (prizes awarded).

Include 2 brief articles in the
company newsletter and the InfoSec
web site about recognizing and
reporting incidents.
Copyright © 2017 MediaPro, Inc.
Page 4
MediaPro_Sample_Awareness_Starter_Kit.docxDocument1
Possible Reinforcement Solutions:
Are you ready to reinforce your training? Here are some ideas and examples to get started:
PRINT/ONLINE RESOURCES
 Posters and Web Graphics
 Newsletter/Web site articles
 Tent Cards
 Job Aids
 PowerPoint Discuss Starter with Talking Points
 Certificate of Completion for Training
 Various Award Certificates for Completing/Passing
Phishing Tests, Game Scores, etc.
ELECTRONIC RESOURCES
 Animations
 Videos and Video Scribes
 Screensavers
 Interactive Games
 Email push (i.e. Job Aids, Privacy flier)
EVENTS/ACTIVITIES
 Awareness Days (with prizes and games)
 Fake Phishing E-mails
 Round table or “Brown Bag” Lunch Discussions
 Manager Reinforcement at Monthly/Weekly Meetings
 Guest Speakers
 Reward Programs for Good Behaviors (stopping a test
tailgater, identifying phishing emails, etc.)
 InfoSec “Ambassadors” Embedded within Select
Departments to Apply the Message
Copyright © 2017 MediaPro, Inc.
Page 5
MediaPro_Sample_Awareness_Starter_Kit.docxDocument1
Training and Reinforcement Communication Plan
Due Date
1/1/132/31/13
First
Quarter
Targeted Risk
1, 2, 3, 4
1
2
Second
Quarter
1, 3
3
1,4
Third
Quarter
Fourth
Quarter
October
Deliverable
Awareness Training
Course
Article #1: Recognizing
Incidents
Posters: P06 Can You
Keep a Secret and P09:
Identity Theft
Article: #2 Old Crime;
New Tricks
Fake Phishing e-mail
2, 3
Round Table Discussion
with IT and Business
Leaders (videotaped)
Tent Cards: TC02,TC18
1, 2, 3
Posters: P08, P11, P14
1, 2, 3, 4
PDF and Print Flyer
1, 2, 3, 4
Guest Speaker – Law
Enforcement
Security Awareness
Day!
1, 2, 3, 4
1, 3, 4
Malware Animation
Key Message(s) and/or Purpose


Security Awareness with
Privacy Principles
Why we have corporate
policies and guidelines.
Protect Private Information



Social Engineering
Hacking & Dumpster Diving
Identify bad emails

Discussion of current
incidents in the news - how
they affect our organization.
Secure private information
Don’t get “Engineered”
Key Privacy risks/behaviors
Remote Computing Risks
Top 5 ways to identify a
phishing scam
Discussion on Physical
Security Topic
Game Show Competition
Handouts
Free Stuff (pens, cups, etc.)
Key Privacy Principles











Copyright © 2017 MediaPro, Inc.
Page 6
MediaPro_Sample_Awareness_Starter_Kit.docxDocument1
Prerequisites
None
Responsible Parties
Training Dept.;
reminder from CIO
Communication
Dept.
Communication
Dept.
Status
Completed
Communication
Dept.
IT Dept.
Pending
HR & IT Dept.
Pending
Communication
Dept.
Communication
Dept.
Communication
Dept./IT Dept.
HR Dept.
Pending
None
Communication
Dept.
Pending
None
Communication
Dept./IT Dept.
Pending
None
None
None
Awareness
Training
Email push
Newsletter
Article
None
None
Email push
In Progress
Pending
Pending
Pending
Not Started
Pending
Reinforcement Resources
WEBSITES:

http://www.mediapro.com/mpdemos (view sample/free posters, articles, animations, and awareness training)
Login: StarterKit
Password: GoodStuff






https://www.privacyassociation.org/resource_center
http://privacy.org/
http://business.ftc.gov/privacy-and-security
https://www.privacyinternational.org/
http://mashable.com/category/privacy/
http://mashable.com/category/security
FORUMS, ASSOCIATIONS, AND GROUPS:


http://www.linkedin.com/groups/Online-Privacy-Forum-4617305
http://www.linkedin.com/company/the-future-of-privacy-forum
Copyright © 2017 MediaPro, Inc.
Page 7
MediaPro_Sample_Awareness_Starter_Kit.docxDocument1