Security Awareness Blog

Top 3 Indicators of a Next Generation Awareness Program

Security awareness has gone through immense changes in the past two years. It has quickly grown from a compliance driven, once a year dreaded event to an engaging solution focused on changing behaviors. Here are the top three indicators a program is truly a 'next generation' awareness program.

1. Behavior: The biggest indicator is the organization's goal. If they are focusing on just compliance, if their program is nothing more than a once a year power point presentation, you have an 'old school' program. It will never have an impact because it was never designed to. Next generation awareness programs are focused from the ground up to change behavior. The organization has done a human risk analysis, identified the top human risks to their organization, and is attempting to change behaviors to reduce those risks. Instead of reaching out to people once a year, the program is actively, continuously reaching out to people.

2. Engagement: Old school awareness programs focused on how the organization benefited, how you must or must not do things to protect the company. Next generation programs focus on individuals, how people personally benefit. The vast majority of secure behaviors apply to both work and home, so organizations are focusing on personal lives. A metric to determine if you have an engaging awareness program is if employees are asking how their family or friends can take the training.

3. Detection/Response: When people think awareness they think prevention, the Human Firewall. Next generation awareness programs go beyond just prevention and also include human detection and response, the Human Sensor. We can't prevent all human based attacks all the time, but if there is an incident and people do fall victim they can still mitigate the risk by quickly identifying and reporting it.

What are some of the most exciting changes you are seeing with next generation awareness programs?

 

 

2 Comments

Posted April 25, 2013 at 11:55 AM | Permalink | Reply

Geordie Stewart

Interesting ''" good point about the growing behavioural focus.
What's your thoughts on the difference between how behavioural change is approached by information security and the approach of other professions such as marketing and public health?

Posted April 25, 2013 at 2:53 PM | Permalink | Reply

lspitzner

I think there are a tremendous number of similarities, especially with safety programs, just like you have brought up. Think energy, such as BP, Exxon or Shell. Getting oil and gas out of the ground is a very dangerous activity. Years of safety training has reduced the number of people that get hurt. We know you can change behavior, organizations have been doing it for years.