Blog: SANS Securing The Human

Blog: SANS Securing The Human

Influence: Science and Practice

I just finished the book "Influence: Science and Practice" by Dr. Robert Cialdini. Dr. Cialdini is considered by many as one of the leading experts in influence, or what our community calls "Social Engineering". This is a powerful book, as you not only learn the techniques that cyber attackers can use against your organization, but can help you create a more effective security awareness program. What makes this book so valuable is not only is it backed by extensive academic research, but its written in a fun and easy to understand way. Dr. Cialdini identifies six principles for influence, what he calls "Weapons of Influence". What makes these principles so


1st Annual Security Awareness Survey

Folks, just a friendly reminder that as part of #NCSAM we are hosting the first annual security awareness survey. The goal of this short, anonymous survey is to create a standardized industry report on how organizations are mitigating human information-related risks. The report will enable security awareness officers to make more informed decisions and benchmark their program to other organizations in their industry. The survey ends 17 Oct with results released in November, so act now if you want to contribute. In addition, if you take the survey you will get early access to the results. You can take the survey at

Big thanks to Lance Hayden, author of IT Security Metrics, in helping us develop the survey.


Resources to Make Your #NCSAM a Success

At SANS Securing The Human, we recognize the important role National CyberSecurity Awareness Month (NCSAM) plays in bringing attention to the cybersecurity challenges faced by all organizations. NCSAM's activities not only help educate and inform people, but they also create a culture of sharing and helping others. Given our passion surrounding this subject, we are providing a variety of free resources to help organizations and their awareness efforts. These resources include a series of a webcasts, the first annual security awareness survey, a poster and a new tips sheet. Learn more at



Updates to Security Awareness Maturity Model

As we continue to grow and mature as a community, so to does our tools and resources. As such we have made some minor changes to the Security Awareness Maturity Model to better clarify what each stage is with more precise titles. The steps are the exact same to achieving each level. All we have done is better clarify what each one means. These changes are especially useful for when communicating to senior management about the status of your program and where you want to take it.

  1. Non-Existent

  2. Compliance Focused

  3. Promoting Awareness & Behavior Change

  4. Long Term Sustainment & Culture Change

  5. ...

When Employees Don't Change Behavior - Ask Why

As you roll out your security awareness program, or deploy training to change specific behaviors, be prepared for not everyone changing their behaviors. Instead of becoming frustrated by failures or blaming employees, use this opportunity to learn and improve. Ask the individuals why they did not change their behavior. By using a Behavior Model such as the Fogg Behavior Model, you will also know what questions to ask. Specifically

  • Motivation: Is the individual motivated to make the change? Perhaps they do not understand the importance to the organization or themselves? Or perhaps while they do understand the importance, they are more motivated to get the job done.

  • Ability: I feel this is the variable we often forget and probably the most