One of the biggest challenges we face in security awareness is justifying our awareness program.  Awareness costs money and organizations want to see a return on their investment.  Now it is no surprise this is a challenge, demonstrating ROI in any security discipline can be challenging.  However it is especially true with human security as behavior is so difficult to measure (what is the level of your employee loyalty and how much is that worth?).  One idea I wanted to share is comparing how much your organization invests in protecting the desktop/laptop versus the employee using it.  For example, how much does your organization spend on
  • Anti-virus for each computer.
  • Patching / updating for each computer.
  • Host based IDS for each computer.
  • Standardized build and deployment each computer.
  • Firewall software for each computer.
  • USB locking or data control systems.
  • Authentication software
I'm not even getting started on network based security controls and costs. Now compare how much is invested for each computer to how much is invested per employee.   This should help explain to management how and why the Human OS is so easily compromised, compared to the hardened desktop/laptop they are working on.