Security Awareness Blog

Awareness Newsletters, Posters, and Blog Posts - Lame?

A common misconception I run into with awareness materials is they cannot change behaviors. For example, posters. We released a new security awareness poster called "You Are A Target", which explains to Ordinary Computers Users why they are a target and identifies all the different ways criminals can make money off of you. This is a great way to engage people and help them understand why they need to be secure. However a common reply I get from the technical security community is a single poster is lame, it will never change human behavior. Why do we even bother?

*sigh*, of course a single poster will never change human behavior. Nor will a single newsletter, single video nor a single blog post. If you are going to effectively change human behavior, you need to continually reach out to people and reinforce key behaviors. So no, a single poster will not save the day. However, if your poster is combined with newsletters, combine with videos, combined with phishing assessments - over a long period of time, then yes you can and will change human behavior.

For awareness to be effective you can't look at a single item or a single training, you have to look at the entire package, is everything working together towards the same goal. For more resources on how to plan your awareness program be sure to check out our free resources section.




Posted February 13, 2013 at 5:00 PM | Permalink | Reply

Robert David Graham

The SANS/Krebs poster educates. Education is good, awareness is lame. There are too many posters like the humorous Darth Vader Encryption one and not enough like the SANS one.

Posted February 13, 2013 at 5:26 PM | Permalink | Reply


Rob, thanks for joining in! I both agree and disagree with you. Yup, a simple sticker is not going to change any behaviors, it will definitely not educate. But it will remind. So if staff have had training on the importance of encryption, and how to use encryption, fun stickers like this can help remind people to make sure that PII always goes on only encrypted systems. Would this work for a law firm? Nope, not a cultural fit. Would this work for non-corporate cultures, such as tech companies? It just might.

Posted February 13, 2013 at 6:06 PM | Permalink | Reply


What is needed is something like a social marketing approach e.g. the adoption of marketing strategies to meet social ends. Companies don't sell products on the strength of one ad. They sell their products by being in your face constantly on different media and in different ways.

Posted March 21, 2013 at 12:38 PM | Permalink | Reply


Its always the simplistic photos that brings across the most effective message. This is no different; using the Darth Vader quote and changing it to match the purpose that you need not only reaches out to a wider audience but will most likely achieve its goal.