Whether it is to comply with the laws and standards regulating your sector or because you want to establish good practices internally, don’t wait until an incident occurs to raise your employees’ awareness of information security and data protection.

Of course, changing ingrained habits is not easy. It doesn’t matter if you’re trying to quit smoking, to lose weight or to adopt new cyber security habits, you are sure to go through the five stages of behaviour change. The following explains the stages that occur when an information security program is implemented, and how, as the person responsible for the information security systems, you can guide your employees through each of them.


1. Precontemplation

At this stage, employees are not yet aware of the changes that must be made. They are comfortable with their way of doing things. This is the perfect time to measure their level of vulnerability with a phishing simulation. Send them fraudulent-looking emails and see in the blink of an eye who opens the email and the attachment and who clicks on the link. Terranova’s Phishing Simulation platform is the ideal tool to test your employees’ ability to identify fraudulent emails and phishing attempts.

2. Contemplation

In this stage, any information can help employees become aware and understand the importance of the changes that must be made. With an awareness-building page, you can instantly show your employees the clues that should have alerted them to the potential fraud. You can also use just-in-time training and direct them to the appropriate training module and show them the right practices to adopt.

3. Preparation

The preparation stage serves to convince employees of the merits of making changes. It’s time to launch your communication campaign. That way, you can mobilize and inform your employees about what’s coming and the importance of adopting secure behaviours. Next, get going by rolling out your information security awareness training campaign. An excellent way of doing this is through highly interactive online training that includes situations, good practices, exercises and quizzes. You can do it on your own or be guided by a multidisciplinary team, who will ensure that your campaign is successful, by adapting it to the various risks present in your organization or your industry.

4. Action

During the action stage, your employees adopt the desired behaviours and attitudes. This stage requires a great deal of time and energy. The assistance provided here is therefore crucial. Reinforcement tools, such as information bulletins and posters, or games and contests between departments, can be excellent means of encouraging your employees to take charge of their own learning.

5. Maintenance

Congratulations! Your employees have succeeded in learning the good behaviour. But will they put it into practice?

It’s a good idea to implement new practices and establish new behaviours, but don’t forget to measure the scale of change and the effectiveness of your campaign.

You began by measuring your employees’ degree of vulnerability by sending them fraudulent-looking emails. You can now measure their progress by sending them a second simulation. By varying the level of complexity of the simulations, you ensure that what they have learned is put into practice every day. By analyzing the results using dashboards and detailed reports, you will be able to compare your campaigns. It’s through repeating each step that you will note a real change in your employees’ behaviours.

We wish you every success!