In January of this year the National Highway Traffic Safety Administration released a report called "Analyzing the First Years Of the Ticket or Click It Mobilizations". The paper is extremely detailed, so I recommend if nothing else read the introduction. For you metric nerds out there you may enjoy the whole paper (as their methodology is well detailed). While the report is focused on the use of seat belts, it has fascinating applications to the world of security awareness. The report focuses on 2000 - 2006, when most states in the United States began campaigns (called Ticket or Click-It) promoting and requiring the use of seat belts. Just like security awareness, the goal of the campaign was to change behaviors, specifically to get people to wear their seat belts when driving (in related note, driving deaths in 2009 was the lowest ever, taking into account miles driven). The campaigns were very successful, resulting in a 20-23% increase in seat belt use regardless of which statistics they used. The key finding of the report was that enforcement and not money spent on media were key to results. The states that had the strongest enforcement had the most people using seat belts. The states with the weakest enforcement had the lowest seat belt usage.Primary law States (where an officer can issue a belt citation upon observing an unbelted motorist like all other traffic laws) had substantially higher seat belt use and higher levels of enforcement than secondary States (where an officer must first stop a vehicle for some other violation before issuing a seat belt citation).
In addition, what was interesting is that support for the enforcement grew with the awareness and media campaigns. In other words, support for the enforcement was higher after awareness campaigns. You will notice that 2007 saw the smallest difference, this is a result of the campaigns having been in effect for over six years.
I feel the key lesson here is not only must an awareness program effectively communicate, but to truly change behaviors what you communicate has to be enforced. An information security awareness campaign communicates what is enforced (your policies) and in addition it should communicate why. Then, follow-up that campaign with strong, visible enforcement. Finally, just like an awareness program, the NHTSA has their share of 'problem children' people who just do not want to listen and return. And just like any awareness program, NHTSA intends to develop specialized programs to reach them. Can we say .... management?
... supplemented by special programs targeting low-use groups such as occupants of pickup trucks, residents of rural areas, and nighttime drivers.