By drafting and publishing a security awareness training policy, the organization sends out a strong message that it understands the need for information security, recognizes the vulnerabilities that its employees pose, acknowledges that training them is a priority, and is ready to invest time and resources in training them. This is the first step in reducing the often unaddressed realm of vulnerability the employees, being human, can pose.
Humans are susceptible to the threat of social engineering (through email, instant messages, phone calls, texts, or in person), to unsafe InfoSec practices (writing down their passwords on a sticky note), and unintentional security lapses (leaving their computer screen unlocked). By reducing this vulnerability, the risk will, in turn, be reduced, as risk is directly proportional to the vulnerability factor: Risk = Vulnerability * Threat.
The creation of the policy will lead to procedures, processes, and practices that bring the policy to life and help reduce the organization’s risk levels.