As you roll out your security awareness program, or deploy training to change specific behaviors, be prepared for not everyone changing their behaviors. Instead of becoming frustrated by failures or blaming employees, use this opportunity to learn and improve. Ask the individuals why they did not change their behavior. By using a Behavior Model such as the Fogg Behavior Model, you will also know what questions to ask. Specifically
- Motivation: Is the individual motivated to make the change? Perhaps they do not understand the importance to the organization or themselves? Or perhaps while they do understand the importance, they are more motivated to get the job done.
- Ability: I feel this is the variable we often forget and probably the most important. Even if a person is motivated to change a behavior, do they have the ability? Did they get the training they need, do they have the tools to get the job done? A common example is encrypting email. You have no idea how many awareness programs I see telling people to encrypt email, but not explaining how to do it or providing the tools to do it. We want to make sure the person has the ability to perform the behavior also.
- Trigger: When something happens, do people know or remember to perform the behavior? Do we have to make it more obvious or make it more memorable? For example, are people remembering to double check the To address when they send an email, as the dreaded 'auto-complete' may have selected a different recipient.
Only by learning from our failures can we really improve an awareness program.