A wide variety of hardware and software technologies are used to protect and control information, but still it’s important to remember that designers and users of those technologies are humans. When deficiencies related to technologies are detected, imperfections can be eliminated by making necessary arrangements and it is ensured that the same mistake would not be repeated. On the other hand, humans may forget what they have learnt; or may do a behaviour that they know they should not do intentionally or deliberately. Briefly, making mistakes is a behaviour people can not avoid.
The need for information security awareness in fact targets the human element, which is the weakest link in the chain. It is a fact that the weakest link of this chain, which is composed of technology and human in the process of creating, processing and destroying information, is human.
Especially in the changing and developing world conditions, it is necessary to keep the awareness periodically updated in order to protect the information.
People are at the focal point of the social engineering attacks. When system security precautions can not be bypassed by attackers, the most effective way is gaining access right methods with social engineering attacks. The most important way to reduce the risk of success in social engineering attacks is to increase the awareness, knowledge and skill of staff about this subject.
As a result of information security awareness studies it is evaluated that the awareness against phishing attacks increased from 20% to 75%, and success rates of these attacks dropped to single digit percentages.
To ensure employees’ awareness it is important that information security awareness trainings should include following key headings.
Information security awareness trainings not only provide many things for employees, they also institutionally provide added value to the institution/company.
The rewarding of good behavior in the detection or prevention of security incidents would also provide motivation for this issue as well as it would raise awareness.
It is very effective to support the information given in the awareness trainings with various additional studies. For example, poster works, surveys, handbooks and brochures, informational e-mails, and in particular, sharing the results of security testing with relevant employees can be additional supportive elements.
In fact, the awareness training process which requires detailed study in itself, also requires expert knowledge at the same time. In this context, it is useful to get support from experts or organizations who have worked on this subject.