Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. Many organizations require formal security awareness training for all workers when they join the organization and periodically thereafter, usually annually.

Topics covered in security awareness training include:

• The nature of sensitive material and physical assets they may come in contact with, such as trade secret
  Trade secret
  A trade secret is a formula, practice, process, design, instrument, pattern, or compilation of information which is not generally known or reasonably ascertainable, by which a business can obtain an economic advantage over competitors or customers...
  
  s, privacy
  Privacy
  Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...
  
   concerns and government classified information
  Classified information
  Classified information is sensitive information to which access is restricted by law or regulation to particular groups of persons. A formal security clearance is required to handle classified documents or access classified data. The clearance process requires a satisfactory background investigation...
  
  
• Employee and contractor responsibilities in handling sensitive information, including review of employee nondisclosure agreement
  Non-disclosure agreement
  A non-disclosure agreement , also known as a confidentiality agreement , confidential disclosure agreement , proprietary information agreement , or secrecy agreement, is a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties...
  
  s
• Requirements for proper handling of sensitive material in physical form, including marking, transmission, storage and destruction
• Proper methods for protecting sensitive information on computer
  Computer
  A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
  
   systems, including password policy
  Password policy
  A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training...
  
   and use of two-factor authentication
  Two-factor authentication
  Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
  
  
• Other computer security concerns, including malware
  Malware
  Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
  
  , phishing
  Phishing
  Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
  
  , social engineering
  Social engineering (security)
  Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
  
  , etc.
• Workplace security, including building access, wearing of security badge
  Identity document
  An identity document is any document which may be used to verify aspects of a person's personal identity. If issued in the form of a small, mostly standard-sized card, it is usually called an identity card...
  
  s, reporting of incidents, forbidden articles, etc.
• Consequences of failure to properly protect information, including potential loss of employment, economic consequences to the firm, damage to individuals whose private records are divulged, and possible civil
  Civil law (common law)
  Civil law, as opposed to criminal law, is the branch of law dealing with disputes between individuals or organizations, in which compensation may be awarded to the victim...
  
   and criminal
  Criminal law
  Criminal law, is the body of law that relates to crime. It might be defined as the body of rules that defines conduct that is not allowed because it is held to threaten, harm or endanger the safety and welfare of people, and that sets out the punishment to be imposed on people who do not obey...
  
   penalties

Being security aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within a company's computer systems and throughout its organization. Therefore, it would be prudent to support the assets of the institution (information, physical, and personal) by trying to stop that from happening.

According to the European Network and Information Security Agency, 'Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks.'

'The focus of Security Awareness consultancy should be to achieve a long term shift in the attitude of employees towards security, whilst promoting a cultural and behavioural change within an organisation. Security policies should be viewed as key enablers for the organisation, not as a series of rules restricting the efficient working of your business.'

See also

• Access control
  Access control
  Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
  
  
• Physical Security
  Physical security
  Physical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...
  
  
• Security
  Security
  Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
  
  
• Security controls
  Security controls
  Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...
  
  
• Security management
  Security management
  Security Management is a broad field of management related to asset management, physical security and human resource safety functions. It entails the identification of an organization's information assets and the development, documentation and implementation of policies, standards, procedures and...
  
  
• ISO/IEC 27002
  ISO/IEC 27002
  ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...
  
  
• Winn Schwartau
  Winn Schwartau
  Winn Schwartau is an expert on security, privacy, infowar, cyber-terrorism and related topics. He is known not only for his trademark mustache and appearances at Defcon but also his provocative and original ideas that make audiences think, wonder and understand highly technical security subjects...
  
  
• MindfulSecurity.com: The Free Information Security Awareness Resource
• "InfragardAwarenss Security Awareness Training"
• Free Security Awareness Resources
• Security Awareness Training Demos
• The Security Awareness Company: One of the country's leading security awareness training companies. Several free pieces of security art as well as sample newsletters and free articles
• Humanisec: Employee Data Security Awareness, Training and Compliance
• Security Awareness Training Blog
• NIST 800-50: Security Awareness and Training Program
• ENISA: A Users’ Guide: How to Raise Information Security Awareness
• Zero Flaws: articles that promote security awareness and understanding for non-technical people
• Microsoft: Free security awareness materials from Microsoft including templates, posters and presentations
• MSU Information Security Awareness Center: has links to dozens of free resources that might be useful to those creating a security awareness program
• Examples of the latest in online video awareness training
• Why Awareness? (Video short)
• Terranova Information Security Awareness

External links

• Army's Security Education, Training and Awareness Site