Bruce Schneier just published an interesting blog post on why he feels security awareness programs get incentives wrong. Instead of teaching people about risks, he suggests we should be firing people who get security wrong. He explains people understand the risks, just that people choose to ignore them. I disagree. There are some organizations that have an extremely low tolerance for risk, organizations such as these can and will fire those who fail to follow procedures (intelligence organizations are a good example). But for the vast majority of organizations simply firing people is not an option. First there are labor and union laws that make that impossible (especially for Europe). But even if firing people is an option, does it fit your culture, do you truly want people to be motivated by fear and resent security, because that is what is going to happen. The most successful method I have found that make awareness 'stick' and change behaviors is engage people, focus on how awareness personally benefits them. People face the same cyber risks at work as they at home. By teaching them how they benefit, and how they can protect themselves and their families, they are far more likely to change behaviors. Even better, they now have the same security behaviors both at home and at work, security is part of their DNA. Don't get me wrong, I'm not saying enforcement is not important. It plays an important part of any successful awareness program. However you want your first step to be on the positive side, engage people and you will change behaviors. My favorite metric for a successful awareness program is when people ask how their family and friends can also take the training. Hard to get that type of engagement when you are running around trying to get people fired.
