For years I've been struggling on how to best demonstrate the lack of investment in human controls versus technical controls. A big shouts out to James Lyne who gave me this idea based on a presentation he did in London in November.
In this graph you see over the past 15 years numerous steps Microsoft has taken to secure the Windows operating system. Now compare that to what most organizations have done to secure the Human operating system (HumanOS). Remember, both process, store and transfer information. Both have vulnerabilities that are actively targeted by cyber attackers. But only one has had any security defenses implemented. This is why I get so frustrated when I hear security professionals say "You can't patch stupidity". This is simply unprofessional arrogance.
Organizations have been successfully changing human behaviors for hundreds of years. The reason we the information security community still struggle with this is we continue to think of security as a technical problem, when it is also a human problem. You can grab a copy of this slide from the Security Awareness Planning Kit.
