Over the past three years, I have been thrilled to see the security awareness community really mature.  From Behavior and Maturity Models to data driven reports and Ambassador programs, we have established a tremendous amount of structure to creating secure cultures.  Just as exciting, is over the past several years I have seen a growing number of awareness programs focus on highly engaging programs, programs people enjoy taking and learning from.  However, there is one area I'm still very concerned about, a lack of focus on WHAT behaviors to teach.  As the infamous Dr. Angela Sasse from University College of London so wisely stated - Every behavior has a cost.  Far too many organizations are overwhelming their workforce with random behaviors, or worst teaching behaviors that ultimately cause more harm than good (password complexity or password expiration anyone).  You should have a solid reason for every behavior you teach.  In fact, the fewer behaviors you teach, the more likely you will change those behaviors and as such, establish a more mature awareness program.

The key to success is understanding and prioritizing your human risks, and then focusing on the key behaviors that manage those risks.  Unfortunately, this is something far too many organizations are failing to do.  Either they lack the skills or resources, or simply do not care.  This is why at SANS Security Awareness we depend on a huge number of global experts to help us design our content.  So what can you and your organization be doing?

  • Use a risk assessment process for assessing your human risk.  Don't have a process?  Consider the NIST Risk Assessment Framework or take the two day SANS MGT433 course.
  • Determine how many risks you want to focus on.  One very large organization I work with has what they call their Cyber 6, just six key behaviors for their whole organization, and everyone knows them. 
  • Partner with your Threat Intel, Security Operations Center or Incident Response team to better understand and prioritize your risks.
  • Once you have identified those risks, identify no more than 3-5 behaviors to manage those risks.  The biggest challenges to awareness are often not figuring out what to teach but what NOT to teach as well as what to eliminate so you don't overwhelm people.
  • How can you simplify those behaviors as much as possible?  Remember, as security awareness professionals we suffer from Curse of Knowledge, what we perceive as simple most of the world finds confusing or overwhelming.

Just these simple steps can go a loooong way to building a far more mature and effective awareness program.  To learn even more check out one of our upcoming events.