Building the business case

Many of our clients need to prepare a business case for security awareness training to present to management. So, we thought it might be helpful if we provide some of the content that you can use for this purpose. A section of the business case will be provided per week.  For this entry, we will start with what a typical table of contents would look like for this exercise and I will also provide some sample content for the executive summary section.

A typical business case table of contents will include:

1. Executive Summary - overview of the plan

2.  Introduction - subheadings in this section should include: background (why its important to the organization to have security awareness training - the triggers or incidents of why this is necessary), purpose of the paper, document approval/history.

3.  Program Overview - goals of the program, overall structure of the program, target audience

4.  Program Content - topics that should be covered, messages/communication to be delivered, materials required.

5. Methods of Delivery - frequency of delivery/model of delivery, communication/branding of the program, reinforcement methods.

6. Program Management - program plan, governance, measurement

7. Cost/Benefit Analysis - program costs, program benefits

8. Conclusion - review and references used

Sample Executive Summary Content:

This document outlines the business case for a creative security awareness program designed to create a strong security culture and reduce overall costs for the organization. The awareness program will focus on communication and deliver timely, innovative content on a regular basis. It is designed provide role-based information security topical coverage to the various levels of users in the organization.

A dedicated program manager will be assigned who will work under the guidance of the Information Security Manager (input other function titles that will provide assistance as well ie., HR manager).

This program will utilize a commercial off the shelf customizable online training component to keep costs low. Other costs will primarily involve the program manager’s salary.

The business benefits resulting from increased compliancy, reduced risks and losses through security breaches will outweigh the costs of the program. Metrics within the document will demonstrate the cost-effectiveness of the program.

Significant information security risks as a result of accidential or deliberate actions and inactions from our employees are still of primary concern even though the organization has invested in information security technologies to protect the information assets.

Generally, employees try to comply with information security policies and regulations. However, they sometimes fail to configure security controls appropriately, neglect to do their backups or share passwords. Many leave confidential information on display in their desks, let strangers wander into the office area or provide sensitive information over the phone. Deliberate threats by both outsiders and employees are inevitable and we must be prepared and knowledgeable about hackers and social engineers.