I'm a passionate believer that security awareness can work, that you can change human behavior and improve the security of your organization. Some people in the security community disagree, they feel awareness cannot work. If you look at security awareness programs in the past, I would have to agree. These awareness programs failed to change behavior, but primarily because they never tried to change behavior in the first place. Instead, to date most awareness programs have been just about checking the box, nothing more than an annual power point presentation or some newsletters to meet auditing requirements. In many ways, security awareness programs of today reminds me of honeypots ten years ago. When I first started playing with honeypots people knew of the concept, but few tried to truly make a difference with them (Bill Cheswick, Fred Cohen and Cuckoo's Egg are several fascinating exceptions). When I first published "To Build a Honeypot" in 1999, most feedback was negative, that honeypots could never work. And yet that all changed in 2000 when the Honeynet Project published a paper on tracking of cyber attacker activities, one of the first public papers on cyber intelligence. Today honeypots are used for everything from gathering malware for Anti-virus and worm tracking to search engines validating websites. I feel security awareness is in many ways in the same early stages. Few organizations in the past have had truly successful awareness programs because to be honest, few have truly tried. To have an impact and secure the HumanOS, we have to start thinking differently about awareness and education.
