A security awareness program is a formal program with the goal of training users on the potential threats to an organization's information and how to avoid situations that might put the organization's data at risk.
The goals of the security awareness program are to lower the organization's attack surface, to empower users to take personal responsibility for protecting the organization's information, and to enforce the policies and procedures the organization has in place to protect its data. Policies and procedures might include but are not limited to computer use policies, Internet use policies, remote access policies, and other policies that aim to govern and protect the organization's data.
In information security, people are the weakest link. People want to be helpful. People want to do a good job. People want to give good customer service to their coworkers, clients, and vendors. People are curious. Social engineers seek to exploit these characteristics in humans. "Social Engineering is the process of deceiving people into giving away access or confidential information". An effective security awareness program is the only known defense against social engineering attacks. Unless users understand the tactics and techniques of social engineers, they will fall prey and put the organization's data at risk.