How To Create a Security Awareness Communication Plan in 10 Steps
An information security awareness communication plan is key if you want your training and awareness efforts to yield tangible results. In this article, we will go through some top tips on what to keep in mind when creating one.
A security awareness communication plan is a way of structuring and marketing your planned cybersecurity training and awareness sessions and/or materials. It is much more than a calendar, and includes truly understanding the who, what, where, when, and why of your campaign.
You need to have a thorough understanding of your goals, audience, channels, resources and messaging in order to get the largest return on investment on your training and awareness campaigns. Read on to find out our top tips to ensure a successful awareness campaign through clear and engaging communications.
If you would rather get a visual overview on how to create a security awareness communication plan through an infographic format, click here.
10 simple steps to success
1. Decide what it is you want to communicate about
Make sure you know the reason and objectives behind the communication. Which risks will it tackle? Which behaviours do you want to change? Is it to link to a specific training that will be released, showcase learnings from a phishing awareness campaign, provide best practices on infosec, or promote an upcoming event? Only when you know what you want to communicate about, and why, are you able to construct a full plan.
2. Accurately identify your audience
Will the campaign be focused on a select group of individuals or will it be organisation-wide? Where does your audience get their information from? What is their preferred learning style? What is relevant to them concerning cybersecurity awareness, and what would they be interested in?
Consider whether the aim of this campaign is to reach a specific target segment or everyone in your company. This is relevant both for deciding on your messaging content and channels but also when deciding your planned activities and trainings. For example, a training on cybersecurity for children will likely be less popular amongst junior-level colleagues who do not yet have kids of their own.
When segmenting your audience, remember that the groups most interested in cybersecurity are likely those who already have a high baseline knowledge of key cybersecurity practices. The key is to identify those who you know need the additional messaging and develop events and trainings that would be interesting for these individuals. You can find some ideas here.
3. Identify which channels you will be using
The channels you have access to determine the type of communications you’ll be able to craft. Emails, internal newsletters, intranet pages, news announcements, chat channels, internal social media groups, or on-site notice boards are just some available options. Again, consider your target audience and where they could best be reached – there might be department specific newsletters you could leverage, or specific chat-channels.
4. Identify KPIs for the communication
Make sure you know how to identify whether the communication has reached its goal or not. Is the communication a vector to get participation to your trainings and events? In this case, you could look at overall participation rates.
5. Identify the frequency of communications
An important element to consider is how often to send out your messages. You want to ensure you aren’t creating communication fatigue by overloading your colleagues with messages, but you also need to make sure your point gets through. An ideal way of determining an ideal frequency is to first take note of what is the custom in your company. Secondly, observe your opening and click through rates to identify if the numbers are dropping off, which could indicate a communication overload. When in doubt, too much is better than too little. In general, the average business person sends and receives an average of 121 emails a day. This means that it is a high risk that your communication might not be noticed if you only send it once.
6. Develop a calendar of communications
Make sure you know when, how, and where to send out your communications. A calendar is useful not only when it comes to planning, but also keeping yourself accountable.
7. Draft your communication materials
You should consider the culture of your organization and whether a formal or informal tone is best suited. Although memes and tongue-in-cheek humour can be an ideal way of capturing attention of colleagues within your company, it might not be appropriate in all workplaces. Whether you are able to leverage humour or not, the aim is to strike a balance between capturing attention whilst showcasing approachability and competence.
You should also create an identifiable branding that you leverage consistently throughout your communications. This could be in the form of a specific colour scheme, font, email layout, or header graphic. By doing this, your audience is more easily able to recognise that the message is coming from you, and pay more attention to the key points you want to put across.
If you don’t have any relevant awareness materials or are lost on where to start considering the communications, considering bringing in help via external vendors, consultancies or agencies to develop infographics, posters, or copywriting (Subtle plug – we would be glad to help you! You can also
You can read more here if you want tips on how to best communicate, or here if you want to learn more about how to communicate a full cybersecurity awareness campaign
8. Review materials where necessary
Do your communications need to be reviewed by management or an internal communications team? If so, the time to do this is before you launch your first communication. Make sure you have enough time for any feedback and adaptations so you’re able to launch your communications according to schedule.
– Send out your first communication! –
9. Measure the impact and feedback of your communication
In order to be able to measure the effectivenes of your communication, your need to gather data on its performance. This can potentially be done by observing participation rates of the advertised trainings and events, or through other metrics such as open- and click-through rates. You can also collect feedback through various methods, such as surveys, polls, focus groups, or suggestion boxes.
10. Tweak where necessary
To continuously improve your communications, ensuring as many people as possible in your organization are interested and engaged in your messaging, make sure to tweak any follow-up communications based on how your first messages went.
Hopefully the above has given you an indicator of what to keep in mind when crafting your awareness communications. At Ozmeos, we can provide you with more in-depth details of each of the above points, or compile a full awareness campaign strategy and communication plan package. We have experience in developing full cybersecurity awareness campaigns, and understand exactly where each pain point might be.