The adage that "you are only as strong as your weakest link" is prevalent in today’s IT landscape and it is the human element that is still a critical factor when implementing any effective and robust security framework. The European Network and Information Security Agency (ENISA) and the Member States are continuing their efforts to positively influence the public’s behaviour towards information security, changing the mindset of the human element in order to achieve greater self-awareness.

Aiming at achieving this goal, the Agency has developed the "Information Security Awareness Programmes in the EU– Insight and Guidance for Member States" which intends to provide an overview of the EU awareness programmes either undertaken or underway within Member States.

The information has been compiled based on the responses from the EU Member States and PSG members to the ENISA Questionnaire.

This information has been supplemented by interviews, research and additional material. It is envisaged that the details contained be used to help disseminate practical information of good practices as well as offer an opportunity to monitor the progress in the national approaches to addressing information security awareness. The Agency has also constructed good practice recommendations as well as offering guidance on running awareness raising campaigns. This includes information on metrics and key performance indicators (KPIs). A roadmap has also been created to show a holistic progression of awareness raising initiatives.

Analysing the initiatives and efforts by Member States, several trends and commonalities have been identified with the work done to date:

• The total number of awareness raising initiatives in the EU has slightly risen over the last year
  
• Two-thirds of awareness programmes conducted have been run in the north of Europe
  
• As in the past, the difference in nature and number of awareness initiatives derives from the different levels of information security understanding and culture within the countries
  
• Almost every programme in Member State countries targeted the SME and Home User groups
  
• Awareness raising collaboration is growing with Internet Service Providers (ISPs)
  
• As in the past, phishing, spam and protection through firewalls are the main themes that are covered
  
• Awareness raising subjects that are growing in coverage include the use of mobile devices and WiFi
  
• Websites and training remain the most used communication channels to deliver the message as part of any awareness raising initiative
  
• Media is still primarily being used as a channel of communication, and not as a target group.

Responses from Member States detailed in the Information Package confirm this.When analysing the most effective programmes that have been executed, and based on good practice methodology from ENISA, it is possible to identify several key pre-requisites and actions that are required for a successful awareness raising initiative:

• The message delivered has to be appealing and perceived as “of value” to the target group - the audience should be properly evaluated with interests, needs and knowledge identified
  
• Communication channels should be analysed to identify then use the optimal delivery mechanisms - preferred communication channels per target group should be understood and utilized
  
• Public-private partnerships should be used to leverage synergies to help make sure that the initiative has the resources and expertise to deliver the right message to the right people using the most effective channels
  
• Multipliers such as teachers and the Media should be used to help increase the scope and coverage of any awareness raising initiative
  
• Metrics and KPIs should be used to measure the effectiveness of an initiative – lessons learnt through analysis of quantitative and qualitative data can be used to help improve future campaigns

It has been concluded that it is crucial to:

• Draw from the experience of other countries as awareness training and campaigns around Europe present many similarities
• Share knowledge as to how to raise information security awareness, and
• Review and re-use material available in different countries.

To this end, ENISA will continue to promote the exchange of information and provide material that could be customised and presented to the EU Member States to facilitate their work on awareness raising. ENISA and the EU Member States will intensify their efforts to influence the public’s behaviour towards information security in order to achieve greater self-awareness.