In this series of posts we have been discussing the different maturity levels of security awareness programs.  We started discussing the first two levels, having no awareness program and having a compliance focused awareness program, designed to meet only the minimal requirements.  We are going to pump up the volume now and take things to the next level, Promoting Awareness & Change.  This is where we enter a new era, the goal is to have an impact and change behaviors, to reduce risk in the organization.  This step is far harder then the first two, and often why you do not see most organizations reach this level. What makes this level different is the planning that goes in before hand.  Instead of just adhoc materials distributed at random times,  the awareness the program identifies the training topics that have the greatest impact in supporting the organization's mission and focuses on those key topics.  In addition program goes beyond just annual training and includes continual reinforcement throughout the year.  Would you consider your operating systems secure if you patched them once a year?  No, security is a continual process, a life-cycle.  Why should securing the Human OS be any different?  Content is then communicated in an engaging and positive manner that encourages behavior change at work, home and while traveling.  As a result employees, contracts and staff are aware your organization policies/processes and actively prevent, recognize and report incidents.  To help you and your organization reach this level we have put together a  security awareness deployment package that walks you step-by-step through this process.  Any  feedback on how to improve this model or deployment package greatly appreciated!