Security Awareness Blog

The 4 W's to Awareness Success

bj-fogg-behavior-model-grapicAt SANS Securing The Human we have over 1,000 active customers around the world. With so many customers we have gained a wealth of knowledge on what does and what does not work in building awareness programs. In this series of posts titled "The 4 W's of Success" we will share with you the lessons learned in building effective awareness programs. Today we start with an overview and then in future posts do a deeper dive into each of the 4 W's.

Ultimately for most organizations security awareness is about managing human risk. To manage human risk you must change human behavior. To better understand behavior my favorite resource is the BJ Fogg behavior model, which I have posted extensively about. This model is great for starting at the individual level, but how do you scale these lessons to an organizational level? That is where our experience and the four W's come in. By answering four simple questions you will develop a strategic plan on how to effectively manage human risk in your organization. Where we see organizations fail is they make no attempt at creating such a plan.

  • WHY: Why is cyber security important to both the organization and individual employees? Why should people listen, why change?
  • WHO: Whose behaviors do you want to change, what are your different target groups? Different groups within your organization can have radically different requirements.
  • WHAT: What are the top human risks in your organization, and what behaviors do you need to change to manage those risks? Remember, every behavior has a cost, so ultimately you want to change as few behaviors as possible.
  • HOW: (okay, so this one ends with a W). How are you going to communicate those new behaviors, how are you going to effectively engage people and cause change, and then measure that change?

In our next blog post we will begin with a deeper dive into the WHY. Learn more how SANS Securing The Human can help you manage and measure your human risk.