BJ Fogg Behavior Model

A common challenge I run into when helping others build a security awareness program is trying to decide on what human risks to focus on.  You only have so much time and resources to communicate to others, and people can only remember so much.  If you can only change 10 behaviors this year, which 10 are you going to change?  

I've seen awareness programs fail because organizations never took the time to prioritize their human risks/behaviors and as a result overwhelmed people with a huge laundry list of random do's and don'ts. One of the interesting things I learned from Dr. Fogg and his behavior model is that different behaviors have different levels of difficulty.  Some behaviors will be easy to change and some will be hard.  While this sounds intuitive, his model helps you understand why this is the case.  

One take away for me was this.  Once you identify the top behaviors you want to change, focus on the easiest ones first. Some may only take a couple of days or weeks to change, these behaviors may be as simple as getting people to use a different technology or enable a new feature.  Other behaviors may be more difficult as they require learning an entirely new process.  Regardless of how you proceed, keep in mind different behaviors will have different levels of difficulty, perhaps even for different targets.   Leverage this to your advantage and focus on the simple ones first.