Top 3 Reasons Security Awareness Training Fails

Continuing our top three trend I wanted to share the top three reasons I see awareness programs fail.  By fail I mean they do not have an impact.  If compliance is your only goal, this is much simpler to achieve.  Having an impact through behavior change is a far greater challenge. 1. No Plan:  This is the number one reason I see programs fail, there no plan.  By plan I mean there is no defined goals, no framework, no analysis of which topics will have the greatest impact, or the most effective way to communicate those topics.   Instead, training is randomly developed then communicated in a ad-hoc manner.  The end result is people are unsure of their role in security, they have no idea what an attack would look like, let alone how to prevent or report one. Awareness training is like any other large project, you need proper planning, objectives, and milestones.  You need a framework to identify what topics you will communicate and how.  Several resources exist to help you do just this, including NIST's SP800-50 and ENISA guidelines.  In addition, at SANS Securing The Human we have put together a Deployment Package that has all the materials, templates and examples you need to create your own program.  If you really want to jump into the gory details, consider SANS MGT 433, a two day course on building high-impact security awareness programs. 2. No Engagement: The awareness training is boring, condescending or outdated.  In my class on how to build security awareness programs, the first thing I ask my students is who already has an awareness program in their organization?  Usually about 90% will raise their hand.  I then ask how many of them like their program, most of the hands go down (the few hands that stay up are usually the people running their awareness program).  The reason you see so few people actually liking their awareness program is the training is not engaging.   Awareness is a product, and to sell that product we need to think like marketing, something we in security are not good at.   However, I have seen several techniques work.  For example, communicate how security awareness benefits people in their personal lives (I bet 75% of your awareness topics apply to both work and personal life).  Do not focus on FUD but on how you are enabling people to leverage technology.  Communicate using the same media that people use today (Twitter, videos, blog, podcasts).  Keep it fun, ultimately turn your awareness program into a game. 3. Hit & Run:  For awareness training to have an impact it cannot be a singular event, it must be a long term commitment.  You are not going to change behaviors in a day,  it is a long term life-cycle. Think about it like this, people are about the only thing constant in your organization.  Technology will radically evolve and change, but the HumanOS is here to stay.  Investing in people long term can have huge return on investment.  To help you gain long term executive support, here are some resources for business justification.