Information Security Training & Awareness by Monique Hogervorst Abstract: Information security standards, best practices and literature all identify the need for Training & Awareness, the theory is clear. The surveys studied show that in the real world the situation is different: the focus of businesses is still on technical information security controls aimed at the external attacker. And although threats and vulnerabilities point out that personnel security becomes more important, the attitude of managers and employees does not reflect that. Information Security Training and Awareness is not recognised as contributor to security. This needs changing, which means changing behaviour and attitude. One way of achieving that is giving people the information security knowledge and awareness they need for their role. It seems that the solution is not to be found in technical controls but more on the non-technical side: the side of human resource security and psychology. A psychological model is introduced in this project and applied to information security. This model can be used as a tool to visualise and quantify the forces that impact on information security. The exercise of analysing the driving and restraining forces impacting on security in general and the security of information in particular visualises how forces work together or against each other; and identifies the relationship with business processes. The driving and restraining forces of the information security force field diagram reflect all areas of information security counter measures: technical, procedural and personnel. Visualising the forces enables the information security professional to explain to nonspecialists why an organisation needs to invest, in resources and finances, to secure information. The diagram will point out where investments are most effective and efficient. The information security force field analysis and diagram as introduced in this project, can be a useful new tool for information security professionals to: * communicate effectively to line and senior managers about the link between business processes and information security; * explain how investment in training and awareness can impact on information security and improve security of an organisation; * quantify the level of security of an organisation in comparison with other organisations or in comparison with the previous moment of measuring; * quantify the impact of information security training & awareness. The information security force field diagram will prove that investing in training and awareness is a very cost-effective counter measure: it will increase the overall level of security of an organisation and it decreases the restraining forces and with doing so the driving forces become more effective.