BJ Fogg Behavior Model

At SANS Securing The Human we have over 1,000 active customers around the world.  With so many customers we have gained a wealth of knowledge on what does and what does not work in building awareness programs.  In this series of posts titled "The 4 W's of Success" we will share with you the lessons learned in  building effective awareness programs.  Today we start with  an overview and then in future posts do a deeper dive into each of the 4 W's.

Ultimately for most organizations security awareness  is  about   managing  human risk.  To manage human risk you must change human behavior.  To better understand behavior my favorite resource is the BJ Fogg behavior model, which I have  posted extensively about.  This model is great for starting at the  individual level, but how do you scale these lessons to an organizational level?  That is where our experience and the four W's come in.  By answering four simple questions you will develop a strategic  plan on how to effectively  manage human risk in your  organization.  Where we see organizations fail is they make no attempt at creating such a  plan.

  • WHY: Why is cyber security important to both the organization and individual employees?  Why should people listen, why change?
  • WHO: Whose behaviors do you want to change, what are your different target groups? Different   groups within your organization can have  radically different requirements.
  • WHAT: What are the top human risks  in your organization, and what behaviors do  you need  to  change  to  manage  those  risks? Remember, every behavior has a cost, so ultimately you want  to change as few behaviors as possible.
  • HOW: (okay, so this one ends with a W). How are you going to communicate those new behaviors, how are you going to effectively engage people and  cause change, and then measure that change?

In our next blog post we will begin with a  deeper dive into the WHY.  Learn more how SANS Securing The Human can help you manage and measure your human risk.