Justifying your awareness program can be a challenge, a challenge where you may need multiple methods to demonstrate your program's value.  Earlier this week we discussed comparing the resources your organization invests in protecting a standard operating system to the resources it invests in securing the Human operating system (i.e. your employees).  Here is a second option, do a root cause analysis of every incident for one month and see what percentage were caused by humans.  For example, the vast majority of infected desktops may be due to end users opening infected attachments, visiting malicious websites or using infected USB sticks.  An aggressive awareness program can stop these infections where most anti-virus programs fail. Depending on just how far you take this you may find most of your incidents are human related.  That SQL injection attack? It was successful because your developers were unaware about basic secure coding practices.  That old FTP server that was exploited on your network? Due to unaware IT staff that do not realize the need for patching and upgrading.  That social engineering attack on your Help Desk?  Due to unaware support personnel. Start digging and you may find most of your incidents for one month are due not to technical vulnerabilities but ultimately human vulnerabilities.