For several years now I've been banging my head on a common problem when it comes to security awareness programs, how do you keep the auditors happy while establishing an engaging program that changes behaviors? In many ways the two goals conflict. Auditors often want to see as much content as possible covered, usually details of policies, standards, regulations and other mind-numbing content. Changing behaviors is often the exact opposite, you want to focus on as few topics as possible, but communicate them in an engaging and continuous manner that promotes changing behavior. To date I have not figured out how to best balance both. Fortunately Bob Rudis (Liberty Mutual Insurance) and Andrew Ellis (Akamai) provided one possible solution at their RSA talk titled Achievement Unlocked: Designing a Compelling Security Awareness Program. This was one of my favorite talks on the human element. Their solution? Do not even try to make the audit /compliance part engaging. Forget the stock photos and graphic design, instead make the strictly compliance piece as short and painless as possible, if nothing else a simple document that people read and sign. Do it only when you have to (perhaps once a year). This way you free up your time and resources to focus on your ultimate goal of the awareness program, engaging people and changing behaviors.
