What is needed to ensure the success of a security awareness program.
This process, as defined in the NIST  documentation consists of the following stages;
1. Developing an IT policy that reflects business needs tempered by known risks;
2. informing users on the key security responsibilities, as documented in the security policy and procedures; and
3. Establishing processes for monitoring and reviewing the program.
It is crucial that the senior management and executives of an organization lead by example.
All users within the organization must be aware of the need for security and of their responsibilities in order for any security program to be successful.
It is crucial to understand that awareness is not training or education. Rather, awareness is the first stage in developing a culture of security within the organization. Security awareness allows people to understand their role within the organization from an information security perspective. Awareness helps people realize the need for further training and education.
In planning the development of awareness, training and education programs it is essential to first understand that each of these are a separate stage that builds upon the next. Initially security awareness sessions help users improve their behavior from an information security perspective. Awareness sessions allow users to become knowledgeable in their responsibilities as they are taught correct practice within the organization. Development of awareness across all users helps improve accountability, one of the key tenements of creating a secure environment.
It is important that employees are trained to understand their roles and responsibilities from an information security perspective in order to show that a standard of due care in protecting the organization’s information security assets has been implemented.
No staff member may be expected to conform to the organization’s policies standards and procedures until they have been informed adequately. As a result, these users pose a risk to the security of the information assets belonging to the organization. Security awareness program helps users understand their responsibilities, and allow the users to address the need for a security within their role.
Awareness starts as the first stage of an information security awareness, training, and education program. It by no means ends at this stage. Awareness is a continuing process that should be used to reinforce the training and education stages of the program.
Awareness is a continuing process to alter the user’s behavior and attitudes.
 NIST (National Institute of Standards and Technology) Special Publication 800-50