One of the biggest challenges security awareness faces is one of perception, many people in the security community have the misconception that awareness does not work. That is because they are basing their judgements on the past. Security awareness has traditionally been horribly broken, it had nothing to do with changing behaviors or even people, they were (and many still are) focused only on compliance. It doesn't take much to be compliant for awareness, all you need is a single presentation once a year or perhaps a quarterly newsletter. Anyone can easily figure out you will never have any impact with something so limited. Things have radically changed for awareness recently. I've seen a huge, fundamental shift where organizations are designing awareness programs from the ground up focused on changing behavior. The new awareness programs of today are dynamic, creative, engaging and continuously reaching out to people. Structure is being added to awareness programs, including identifying key human risks to the organization, the key behaviors in mitigating those risks, and the most effective way to communicate and measure those changes. We are still in the early stages of this change. Many disciplines within security have years of experience and have matured, disciplines such as forensics, penetration testing and secure software development. Security awareness is still ten-fifteen years behind these disciplines but that is changing. Keep your eyes open on the Human Element, it is an exciting field that you will see beginning to have a huge impact in the coming years.
