| This study investigated risk reduction by implementing security awareness programs in Puerto Rico metropolitan area companies, insurance and banking. Limited academic research in this area was found, especially, in the case of Puerto Rico. The status of security awareness programs, social engineering awareness, information security policies and compliance of those policies, auditing, and user perceptions in banking and insurance companies in Puerto Rico metropolitan area were also investigated.;Research was conducted in two stages. In the first stage, information regarding security awareness in organizations was gathered from the users. The intention of this study was to determine the status of security awareness in enterprises, policies, user perceptions, compliance, social engineering awareness and auditing any member of the organization has the same opportunity to participate. In the final analysis, 59 subjects started but only 55 subjects completed the research survey for a 93.22% completion rate. The participants were divided into 29 from the bank and 26 for the insurance company.;In the second stage, the information gathered in the first stage was analyzed and interviews were conducted with emphasis on processes identified earlier as potentially weak. An interview with Information Security and Information Technology staff were appointed to enforce the second stage of research. The purpose of the interview was to receive input from the IT staff perspective. A total of four (4) participants, two (2) for the bank and two (2) for the insurance company were interviewed.;Descriptive analysis was used. The majority of the responses were evaluated based on percentage, also median calculation was made.;Results from the research found that companies studied are implementing security awareness programs but there is a lack of assessment and emphasis on social engineering awareness. The research also found that companies receive management support for security awareness programs.;On the final chapter of this study, there is a closure with the conclusions and recommendations based on the results, and pointers to future research in this area. A framework for security awareness programs was presented, and implications for organizations and researchers based on the results of this research also were presented. |
