There are three things that will require your focus when establishing security and privacy arrangements within your institution: technology, awareness and organisation. In this blog series, we will take a closer look at awareness: what does awareness involve, what do we need to know about human behaviour, and how should you establish a robust awareness programme? This third blog in the series of 8 is about identifying your target groups.
In this second phase, you will map out your target groups in a structured manner. This will help you to customise the awareness programme to your target groups in the best possible way. This will increase the effectiveness of your programme, ensuring the results are more measurable.
Identify your target groups
Within the institution, you can expect to see different behaviours from different employees and users. A manager is a figurehead and has a leadership role. Field staff work with different information and use different ICT resources than employees working in the HR department, for instance. It helps to specify your target groups in as much as detail as you can. This will ensure that you can customise your awareness programme as well as possible to important and specific characteristics of various subgroups. For instance, you can break down the target group of students into students live on campus and those who don’t. Incidentally, target groups may overlap and it may not always be necessary to treat all target groups differently.
Analyse the target groups
Analysing your target groups will help you understand who your users are, what they are doing on a daily basis, and what systems and resources they use. This is important information, because the awareness programme must be geared to the users, their environment and their work experience. If the program is not coherent, there is a good chance that users will avoid it, and the programme will miss its target as a result.
In the previous phase, you mapped out the reason for the awareness programme and the current situation in terms of the associated risks. To make a risk analysis and identify which risks are more relevant for which target groups, you should create a risk matrix that sets out the risks for each of the target groups. Based on these risks, decide which are the most important to address in your awareness programme.
You have now identified your target groups and analysed where the greatest risks lie. The next step is the desired behaviour. In the next blog, we will describe how you define your goals and which target behaviour is associated with each of them.
Other blogs in this series:
- Blog #1: The utility and necessity of awareness
- Blog #2: Why an awareness programme?
- Blog #4: What is the overall aim and desired behaviour?
- Blog #5: Factors affecting behaviour
- Blog #6: What actions and interventions should you use to encourage the desired behaviour?
- Blog #7: Is your programme having the desired effect?
- Blog #8: Implementing the programme
About the authors
This series of blog posts has been created by the GÉANT Cyber Security Month team, in close collaboration with SURF.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022