A new survey by Trend Micro reports that workers consistently rank personal risk over corporate. Specifically, the survey of 1,600 employees found that "... employees were more focused on individual concerns and conveniences than their company’s overall IT security." To be honest, I don't think anything in the report should be a surprise. Its human nature, most people are going to be more concerned about themselves then the organization they work for. However, it seems like organizations forget this when they roll out an awareness and education program. To often these programs are nothing more then a series of rules of what people can't do. This is the wrong approach. One of the things I have found that gets tremendous feedback is focus on how the individual benefits. I've found that 70-80% of any security awareness program not only applies to work, but the same lessons learned apply to home. Lessons such as social engineering, how to maintain a secure computer, how to surf the web safely, etc. If you focus on how the individual benefits, they are more likely to listen. In addition, if you can get employees to practice secure computer behaviors at home, then these behaviors become second nature at work. So instead of considering reports like this a problem, jump on the wagon and use it to motivate people. Of course there will always be those who do not listen. No matter how you try to motivate people, there will be those who will violate what they have been taught. For this we have to put down the carrot and pick up the stick, unfortunately at times you also need strong enforcement.