Security Awareness Blog: Author - lspitzner

Security Awareness Blog:

The "WHY" in Effective Awareness Programs


Last week we kicked of a blog series on the 4 W's in building an effective awareness program. In the first post we explained that to effectively manage human risk organizations need to answer four key questions; WHY, WHO, WHAT and HOW. Today we focus on the first of those four questions, the WHY part.

So why do organizations have security awareness programs? Well, thats pretty simple; to meet compliance requirements and to manage human risk. Unfortunately, there are probably a total of five people in your entire organization who care about those reasons and I'm guessing you are one of them.


OUCH! is Out - Password Managers

OUCH-201510-PasswordManagersWe are excited to announce OUCH! is out. Every month we publish the free OUCH! security awareness newsletter. Each newsletter goes through an intense review process by three different bodies of experts and is then translated into over 20 languages by a team of volunteers. For October, which is also Security Awareness month, we focus on Password Managers. Passwords are one of the most confusing and difficult security topics for people to master. As such, we wanted to focus on a solution that would make everyones' lives both simpler and more secure. Please share this edition with family, friends and co-workers. As always, you can find OUCH! at


The 4 W's to Awareness Success

bj-fogg-behavior-model-grapicAt SANS Securing The Human we have over 1,000 active customers around the world. With so many customers we have gained a wealth of knowledge on what does and what does not work in building awareness programs. In this series of posts titled "The 4 W's of Success" we will share with you the lessons learned in building effective awareness programs. Today we start with an overview and then in future posts do a deeper dive into each of the 4 W's.

Ultimately for most organizations security awareness is about managing human risk. To manage human risk you must change human behavior. To better understand behavior my favorite resource is the


Awareness Training for Developers on Secure DevOps

EricJohnson-HeadshotEditor's Note: Today's post is from Eric Johnson. Eric is a Senior Security Consultant at Cypress Data Defense, and the Application Security Curriculum Product Manager at SANS. In this post, Eric introduces Secure DevOps and some key DevOps concepts.

This month, our STH.Developer Software Development Lifecycle (SDLC) training module was selected for the video of the month. The SDLC topic reviews the challenges that software development teams face when building security into their lifecycle. In case you missed it, we walked through securing a traditional Waterfall development lifecycle in a


Security Awareness Summit Roundup

show and tell 2 IMG_8941The 2nd annual US Security Awareness Summit was held in Philadelphia, 10 August with almost 150 people attending. It was an amazing mix of security awareness officers from different industries, organizations and even countries, with people coming from as far as Brunei to attend. Here are some key take aways from the event.

  • We had eight speakers, you can download their slides from our