There are three things that will require your focus when establishing security and privacy arrangements within your institution: technology, awareness and organisation. In this blog series, we will take a closer look at awareness: what does awareness involve, what do we need to know about human behaviour, and how should you establish a robust awareness programme? This fourth blog in the series of 8 is about the purpose of your programme and the behaviour you want to see in your target groups.
In this phase, you will decide what you want the awareness programme to achieve. How will you ensure that key privacy and security risks are mitigated? Start by formulating an overall goal and then break it down into more specific subsidiary goals. The more specific you can make these subsidiary goals, the more you will be able to influence behaviour and measure the effects.
Start by formulating an overall goal. In other words, what do you want the awareness programme to achieve? The more precisely you formulate this general behavioural goal, the easier it will prove later to break this down into subsidiary goals. You should deduce this behavioural goal from the threats identified in the first phase. For example: users within the institution should be sufficiently aware of the dangers of phishing attacks. If there are multiple topics that you want to address, simply associate multiple programme goals with these topics.
Define specific behavioural goals
Programme goals are often difficult to measure. Once you have established the programme goals, you can break them down into subsidiary goals. Subgoals may differ depending on the target group. Make sure your behavioural goals can be easily linked to KPIs (key performance indicators). KPIs make it possible to appraise performance and, if necessary, to make any necessary adjustments in a timely manner. This increases the chance that you will achieve your behavioural goals in the future.
You can easily decide on a behavioural goal by following the schema – or outline – shown below.
In [situation x], [person y] will exhibit [desired behaviour z]. Let’s look at an example:
The following behavioural goals can be set based on the programme goal you previously established that users within the institution should be sufficiently aware of the dangers of phishing attacks.
- As soon as a phishing email arrives, our employees will recognise this.
- As soon as a phishing email arrives, our employees will report this immediately to the security officer.
You now know which programme goals you want to achieve and which behavioural goals are associated with these. The next step concerns behavioural factors. In the next blog in the series, we will discuss the factors that influence whether your target groups will actually go on to exhibit the desired behaviour.
Other blogs in this series:
- Blog #1: The utility and necessity of awareness
- Blog #2: Why an awareness programme?
- Blog #3: Who are your target groups?
- Blog #5: Factors affecting behaviour
- Blog #6: What actions and interventions should you use to encourage the desired behaviour?
- Blog #7: Is your programme having the desired effect?
- Blog #8: Implementing the programme
About the authors
This series of blog posts has been created by the GÉANT Cyber Security Month team, in close collaboration with SURF.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022