The business case for security awareness

A day or so ago I wrote about organizations being pressured into security awareness for compliance reasons. 

With some exceptions, compliance is externally imposed and doesn't directly benefit the organization through increased profits - rather it avoids or reduces the losses and costs (including penalties) associated with noncompliance. 

That is still a financial benefit but with negative, oppressive connotations. 

Today I'm moving on to more positive, profitable matters, the business benefits arising from security awareness and training, of which there are several:
  • Better recognition and identification of information risks
  • More appreciation and understanding of information risks
  • Fewer, less costly incidents
  • Better governance
  • Greater organizational and personal resilience
  • Organizational learning and sustained improvement (maturity)
  • A genuine, deep-rooted and all-encompassing corporate security culture
  • Deterrence
  • Getting the most out of other information security controls
  • Other spin-off benefits e.g. inventories of information assets
You may have spotted an underlying theme, in that most of the benefits of security awareness and training stem from better information risk management. In a sense, awareness is 'just another security tool', but one with a multitude of applications, more Swiss multitool than hammer.

I am fleshing out all those bullet points into a template "Business case for an information risk and security awareness and training program" to be included in February's awareness module.