" As strategists, we can apply all manor of software/hardware technology to control and safeguard the activity on our
information infrastructure. While the most important, and at the same time weakest, link in the security chain are
people, there are no (publicly acceptable anpvay) hardware modifications available to control human behaviour.
Awareness, however, is the solution that we can install in the human brain that offers the only chance to
strengthen this link. "
- Tom Giangreco, Director of Information Security, SchoolsFirst Federal Credit Union
" Information security can only be successful if it is seen as an integral part of the davto-day work responsibilities, and
it is therefore necessary that everybody in the organization understands the importance of information security,
employees as well as top management. The long-term success of an information security program can only be
effective if there is awareness and support throughout the organization. Security awareness and training controls
have been identified as a mandatory part of an information security management system, and sponsorship for
information security needs to start at the top
- Angelika Plate, Owner AEXIS Security Consultants, Secretaryof ISO/IEC JTCI SC 27 "IT
Securih' Techniques" Editor of ISO 27mI, Co-editor of ISO/IEC 27002 and 27006.
" There is probably no more effective countermeasure, dollar for dollar, than a good security awareness program."
"Although it is important for an awareness program to ensure that the right things are covered, the critical success
factor for an awareness program is the delivery methods. The advice must be simple. It must be made
personal...Advice that is realistic, understandable, actionable, and repeated is useful "
- Ira Winkler, "Spies Among us", President Information Security Advisors Group, author
of "Spies Among us" , "Zen and the Art of Information Security", and "Corporate
Esp io noge"
" There is only one way to keep your product plans safe and that is by having a trained, aware, and a conscientious
workforce. This involves training on the policies and procedures, but also— and probably even more important —an
ongoing awareness program. "
- Kevin Mitnick, "Art of Deception", founderof Mitnick Security Consulting, author of
" The Art of Intrusion" and " The Art of Deception "