Organisational Security Culture: Embedding Security Awareness, Education and Training
Awareness and understanding of security is fundamental to establishing a successfulFurnell SM, Clarke NL
security culture within an organisation. Published survey evidence reveals that although
awareness, training and education are recognised as having a significant relationship to
the achievable level of security, and are promoted in various security standards, many
organisations do not make sufficient use of them. This discussion paper examines the
general applicability of the techniques to employees at all levels, beginning with the end
user community, and the principal approaches that may be suitable for them. The text
then proceeds to consider the specific needs of individuals with key security
responsibilities within an organisation, highlighting the fact that in many cases, these
individuals do not have formal qualifications for the roles that they have been allocated.
The various levels of qualification are then examined, and structured within an overall
taxonomy to indicate the security expertise and capabilities that should be expected of
individuals that hold them.