Security Awareness Blog

The Security Awareness 70/30 Rule

After working on numerous security awareness programs for both large and small organizations, one thing I have noticed is what I will call the 70/30 rule. Roughly 70% of an awareness program shares the same topics and content as any other awareness program. This includes basic concepts such as social engineering, using email safely, passwords, encryption, etc. Only about 30% of an awareness program is unique to that organization, such as data protection policies or policies on personal devices. However we can even take this one step farther. That common 70% of content not only applies to the organization, but also applies to home. Think about it, the vast majority of attacks that target the human are the same attacks people face when they are using their home computers, their home accounts, etc. Obviously once again there are some differences, for example many home users use peer-to-peer, most organizations don't. Most organizations don't have to worry about cyber bullying, many families do.

However, there is enough overlap here where you can use this to your advantage in your organization's awareness program. Instead of creating training that says you must follow these rules for the benefit of big brother, start off by saying you want to help protect your employees, both at home and at work. Start off by explaining to them how many of the attacks they will learn about they also face at home, and these lessons learned will help protect themselves and their families. My experience has been very positive, most organizations and employees I have worked with really like this approach.

If you have had any success with this method, or any other method in motivating employees and getting them engaged in your awareness program, we would love to hear from you.