2017 Security Awareness Report

A key challenge we face in the security awareness community is we have little data to make decisions.  What are the most common challenges awareness programs face, what are proven steps you can take to overcome those challenges, and how can you benchmark your program against others?  The annual Security Awareness Report answers those questions and more. To accomplish this, every year we conduct a global survey of security awareness professionals. For the 2017  report 1,084 qualified people from 58 different countries responded to the survey, well over twice as many from the previous year.  Our intent is to help you identify what successful awareness programs are doing right and provide actionable steps based on those lessons learned. Our findings are based on a substantial data set and rigorous analysis completed by both the security awareness and academic community, so you can have confidence that they are accurate and meaningful. We uncovered two main drivers why awareness programs thrive or fail. In addition, we uncovered a surprising key finding.

1. Time is Critical to Success

In last year’s report, we identified lack of resources as a key blocker. This year we narrowed that down to time. Time, not budget, is the critical resource for success.What does time specifically mean? We define it as the combined effort of people who contribute to an awareness program, measured as total number of full-time employees (FTEs). For example, if you have two people each working half time on your awareness program, combined their efforts are one FTE. Far too many organizations view awareness as a part-time job, crippling their awareness team’s ability to effectively get things done. We found the minimum number of FTE’s required to change behavior at an organizational level was 1.4 FTEs, while the most successful awareness programs had at least 2.6 FTEs dedicated to awareness.  Organizations with more than 5,000 employees most likely need to increase those numbers.

2. Communication is the Most Important Soft Skill

Last year we learned that a lack of soft skills was prevalent in the development of awareness programs. This year, we’ve defined that as a lack in communication skills. This includes the ability to both effectively communicate to and engage employees, as well as the ability to effectively communicate to and demonstrate value to leadership.

Surprise Finding

Women are twice as likely as men to be dedicated full-time to security awareness.  In many ways women have become the leaders in securing the human element.

To get full details , download the 2017 Security Awareness Report now.