Call us on 03450 21 21 51

Raising awareness of Information Security in the workplace
The SRM Blog

Raising awareness of Information Security in the workplace

Ian Armstrong

Written by Ian Armstrong

25th October 2019

Share this article

raising awareness of cyber security

We all know that the national speed limit on a motorway is 70 mph and understand the potential consequences of exceeding it. So, why does almost everyone admit to occasionally going that little bit faster?

Are we complacent because we’ve never had an accident? Perhaps nobody in our close circle has had an accident either. But what about when a speeding ticket arrives in the post? The sinking feeling of having to pay to attend an awareness course or taking the points and facing a potential insurance hike. Most of us will suddenly pay closer attention to the speedometer once we’ve had the wake-up call.

The same can often be said for cyber security. All too often it takes a breach, a mistake or a penalty to get managers and staff to act differently. But if we know that the risk is there, why wait for the wake-up call?

Here are a few tips to help you communicate the importance of cyber security best practice within your organisation.


The right delivery

One of the main aspects of successful staff awareness training is choosing the right type of delivery method to ensure that it fits with both the audience’s expectations as well as the business environment day to day.

The audience

Always ensure your material is fit for the audience, based on their requirements and informed by their existing knowledge. New staff should always undergo information security training upon joining the business, and existing employees should be encouraged to revisit information security processes and procedures regularly.

Grab their attention

The delivery of a presentation must start with something that grabs the audience’s attention and makes them sit up and take notice. Consider something topical or perhaps something in the news. Failing this, try and have some back-up material such as anecdotes or stories that can be used in the same fashion.

Be sure to avoid delivering long lists of legislation, policy and guidelines. Despite their importance, these subjects need to be given a fresh and lively makeover; it has to be something the audience can identify with and relate to.


The subject of Information Security may not be filled with humour, but the ability to deliver the subject with an element of fun is essential to ensuring that the audience retains the message. It is a great way to get an audience to relax. As well as getting them to volunteer their participation with laughter, the subject becomes more appealing and is more likely to resonate with the audience.

Go to the theatre

Another method of bringing a little fun to the ‘stage’ is putting together a small theatrical event. The idea here is to get the serious message across as a short play. You could create characters with fun yet memorable names such as; Password Pete, Victor Virus, Cyber Sid etc. If possible and with the appropriate permissions, adopt the names of those in authority within your company. All of this can help to cement important ideas in the memory of employees.

Go to the movies

There are a number of movies that have been released over the years that deal with issues relating to Information Security. Try and include these and give examples of the scenarios that occurred. If at all possible, run a little trailer of the film (if work appropriate!) and then talk to your audience about it and how they would handle such a situation. There are many useful clips that are now easily available on YouTube.

Tell a story

Stories about real events, whether they involved individuals who work or have worked for your company, can be useful in raising awareness of information security challenges. Running through a case study can also help teams to work towards improvements and establishing new procedures and policies.

Make it newsworthy

The creation of a ‘Bulletin’ produced periodically could be an activity that is adopted as part of an on-going awareness campaign. The production of such a paper is likely to take a little more time than other presentation methods, but if it is done correctly it could be a powerful tool to relay Information Security Awareness to an audience. Articles from online newspapers could be included and are a clear way of making people take note and keep discussions ongoing within the team.


Audience participation is a sure way of ensuring that attendees will remember what they have been taught. The idea of a quiz is sometimes a little daunting for an audience but if you can make the quiz fun, interesting and interactive, then the results can be positive. The questions need to ask individuals (perhaps in teams to promote discussions with others) the likes of “What would you do if…” and perhaps “How you would deal with…”

Evaluation is a major aspect of the overall training process. It allows the trainer to determine what is working and whether or not things need to be changed. Remember, training programmes need to evolve to meet on-going business practices, but more importantly, to reflect the ever-changing cyber threat landscape. To talk to SRM about training, or to arrange a social engineering session, call +44 (0) 3450 21 21 51.





Back to top