In this phase, we do not have the capability of informing our users about anything. This may be because the security awareness capability is lower on the priority list of things to do than all of the other capabilities that are being developed. However, it is important to the organization and there needs to be a push to establish some basic items for users, such as:
- Acceptable use of organizational systems
- Email safety
But as the IT and InfoSec organization becomes more mature, so must the security awareness program.