Security Awareness Blog

Effective Security Awareness Programs - Think Different

I'm a passionate believer that security awareness can work, that you can change human behavior and improve the security of your organization. Some people in the security community disagree, they feel awareness cannot work. If you look at security awareness programs in the past, I would have to agree. These awareness programs failed to change behavior, but primarily because they never tried to change behavior in the first place. Instead, to date most awareness programs have been just about checking the box, nothing more than an annual power point presentation or some newsletters to meet auditing requirements. In many ways, security awareness programs of today reminds me of honeypots ten years ago. When I first started playing with honeypots people knew of the concept, but few tried to truly make a difference with them (Bill Cheswick, Fred Cohen and Cuckoo's Egg are several fascinating exceptions). When I first published "To Build a Honeypot" in 1999, most feedback was negative, that honeypots could never work. And yet that all changed in 2000 when the Honeynet Project published a paper on tracking of cyber attacker activities, one of the first public papers on cyber intelligence. Today honeypots are used for everything from gathering malware for Anti-virus and worm tracking to search engines validating websites. I feel security awareness is in many ways in the same early stages. Few organizations in the past have had truly successful awareness programs because to be honest, few have truly tried. To have an impact and secure the HumanOS, we have to start thinking differently about awareness and education.



Posted October 10, 2011 at 6:44 PM | Permalink | Reply


Awareness is a fools errand'' if being aware of the right way to act caused changes in behaviour, we'd all be skinny, no one would smoke and there'd be far fewer divorces.
The reality is that people do things that bring them pleasure and avoid things that cause pain. We're really simple. We cannot control what causes pleasure or pain, and it is not universal. Some folks derive pleasure from having an admirable physique, some enjoy eating junk food. The latter are plenty aware that it causes health problems but they won't change until the pain exceeds the pleasure (e.g. a heart attack in the extreme case)
Another example is life insurance. 20 somethings don't buy it. This is not because they don't understand what it does, but instead because they don't feel the need, i.e., the pain of being without the money exceeds the pleasure of knowing end of life costs won't be a worry. This changes when people get married, have a family, etc, and now derive pleasure from knowing they are taking care of their family.
Now, in a complex system like a modern company, some awareness helps, but it needs to focus on basic usability. How do you send an encrypted email, for example. Anything trying to alter behaviour is futile. Behaviour can only be altered by changing the pain/pleasure equation. In corprate worlds, this means changing incentives and penalties.
Want to invest your energy? Spend time trying to get a sanction policy implemented and consistently applied. Get security into the annual review. Reward people for good security and punish them for bad. Otherwise, you are asking for conflicts, and hoping that people will resolve the conflict in your favor. Which they generally won't.

Posted October 10, 2011 at 7:41 PM | Permalink | Reply


Hah! Great input, you remind me of Marcus Ranum. However I could not disagree with you more. You can change human behavior, in fact there is an entire multi-billion industry built around it called marketing. For more specific examples, check out Click-It or Ticket[1] or how hospitals have reduced infection rates by raising awareness on washing hands[2]. No, you can't change everyone's behavior, but you can make a very large impact. I'll post tomorrow more on direct value of security awareness programs

Posted October 10, 2011 at 11:02 PM | Permalink


I like the book Switch by Chip and Dan Heath as well. I dare say that in disagreeing with me, you agree with me. Your example of Click it or Ticket is as I stated: enforcement, not awareness, changed the behaviour. They changed the incentives to cause riding without a seatbelt to be more painful then the annoyance of wearing one. As for the medical example, this is an exception I think. The change in behaviour is aligned with the core mission: patient care. Everyone involved understands that this is a good change, and hospitals use enforcement supported by very targeted awareness[1]. [1]