Cyber Awareness Program - 03 Online
Cyber Awareness Program - 03 Online
Cyber Awareness Program - 03 Online
AR-IN-A-BOX
YOUR GUIDE
TO DESIGNING
A CYBER-AWARENESS
PROGRAMME
CONTACT
For contacting ENISA please use the following details:
[email protected]
AUTHORS
Alexandros Zacharis, Dimitra Liveri, Georgia Bafoutsou, Marianna Kalenti (ENISA)
CONTRIBUTORS
Chloe Blondeau, Goran Milencovic, Theodoros Nikolakopoulos (ENISA)
LEGAL NOTICE
Notice must be taken that this publication represents the views and interpretations of the authors and
editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or
the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does
not necessarily represent state-of the-art and ENISA may update it from time to time.
Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external
sources including external websites referenced in this publication.
This publication is intended for information purposes only. It must be accessible free of charge.
NeitherENISA nor any person acting on its behalf is responsible for the use that might be made of the
information contained in this publication.
COPYRIGHT NOTICE
© European Union Agency for Cybersecurity (ENISA), 2023
Reproduction is authorised provided the source is acknowledged.
Catalogue number: TP-09-22-590-EN-N
ISBN: 978-92-9204-591-3
AR-IN-A-BOX
FOREWORD
This is a step-by-step guide for the design of
a cybersecurity-awareness programme in your
professional environment. The document presents
all the necessary steps and relevant suggestions.
However, it is important to note that each
organisation should create their own tailor-made
programme, by picking and choosing the proposals
that suit their needs and recipients the most.
identify objectives;
secure financial resources;
ensure human resources (HR);
split your employees into target groups;
choose the right tools;
create a time plan;
implement the programme;
evaluate the programme.
1 2 3 4
Identify Secure financial Ensure human Split employees into
objectives resources resources target groups
5 6 7 8
Choose the right Create Implement Evaluate the
means a timeplan program program
2
AR-IN-A-BOX
The awareness-raising objectives stem from the risk to test policies and procedures (e.g. escalation,
assessment of the organisation. Every organisation backup, incident handling).
might set different objectives for its own awareness
programme, yet some generic ones that are always
applicable, and can easily be converted to SMART
objectives, are the following.
2 https://ec.europa.eu/info/sites/info/files/file_import/better-
regulation-toolbox-16_en_0.pdf
4
AR-IN-A-BOX
NB: The roles as presented above do not exist in all types of organisations. In several cases one employee might
occupy more than one role (e.g. IT professional and cybersecurity professional).
6
AR-IN-A-BOX
11 groups of employees are identified as potential provide knowledge on how to tackle and respond to
receivers of learning products and experiences. such risks (how can I navigate the internet safely?);
A further analysis of the audience groups can pinpoint
additional meaningful clusters based on common influence behavioural change (why should I change
characteristics of theirs (generic employee, chief my digital habits?).
level (C-level), and ICT and security professionals,
as presented in Table 1 below), and can also provide Tools are considered to be the foundation of any activity
insights on the approach and methodology for and may include infographics, tip sheets, posters,
creating awareness. videos, presentations, exercises, quizzes and puzzles,
etc. (More information and an analysis are provided in
“Promotion Channels Analysis” document of AR-in-a-Box
RAISING
8
AR-IN-A-BOX
Table 2. Matrix of proficiency level per target audience and topic category
Audience groups
PL drop down per audience group
and topic category ICT and security
Generic employee C-level
professionals
Cyberbullying PL1
Sexting PL1
Cyberterrorism PL1
Certifications PL2
?
Videos and Videos and
Baseline quiz Training topic dissemination material dissemination material
HOLIDAYS HOLIDAYS
Training topic 2 Simulation exercise
?
Back-to-school training Games/test/quiz Insights collections Report to management
10
AR-IN-A-BOX
Onboarding
Post-incident
Continuous
12
AR-IN-A-BOX
KEY RECOMMENDATIONS
The key factors for a successful awareness-raising Learning by monitoring and evaluating. The
programme are summarised below. development of measures to assess the impact of the
entire programme should be considered from the very
Deliver the right message to the right employee start of its design. Regular monitoring and evaluation
group. Identifying key audiences from the group of help to keep track of what is happening and allow the
employees helps ensure messages are received by team to take corrective action if necessary.
those who will be most receptive to them. Identifying
the target audiences and tailoring the programme
to their specific needs and level of knowledge, from
the early planning stages of a programme, ensures
that the right message reaches the right audience.
Messages need to be clearly related to cybersecurity
topics that audiences find familiar.
14
AR-IN-A-BOX
ENISA
European Union Agency for Cybersecurity
Athens Office
Agamemnonos 14
Chalandri 15231, Attiki, Greece
Heraklion Office
95 Nikolaou Plastira
700 13 Vassilika Vouton, Heraklion, Greece
enisa.europa.eu