They must take an active role in setting and supporting the information security environment.
Without management support, the users will not take information security seriously. Knowing how to assess and manage risk is key to an information security management program.
Then, using those standards, you can create procedures that can implement the policies.
Set information security roles and responsibilities throughout your organization. From management to the users, everyone who has access to your organization's systems and networks is responsible for their role in maintaining security as set by the policies.
Risk management is the identification, measurement, control, and minimization of loss associated with uncertain events or risks.
Know what is required for Security Awareness Training. The best security policies and procedures are ineffectual if users do not understand their roles and responsibilities in the security environment.
Training is the only way for users to understand their responsibilities.
They are concerned with the various aspects of managing the organization's information assets in areas such as privacy, confidentiality, integrity, accountability, and the basics of the mechanisms used in their management.
Know what management's responsibility is in the information security environment. Management cannot just decree that the systems and networks will be secure.
Even if you are not part of your organization's management team, watch how management works in the information security environment.