A common challenge I run into when helping others build a security awareness program is trying to decide on what human risks to focus on. You only have so much time and resources to communicate to others, and people can only remember so much. If you can only change 10 behaviors this year, which 10 are you going to change? I've seen awareness programs fail because organizations never took the time to prioritize their human risks/behaviors and as a result overwhelmed people with a huge laundry list of random do's and don'ts.
One of the interesting things I learned from Dr. Fogg and his behavior model is that different behaviors have different levels of difficulty. Some behaviors will be easy to change and some will be hard. While this sounds intuitive, his model helps you understand why this is the case. One take away for me was this. Once you identify the top behaviors you want to change, focus on the easiest ones first. Some
I just finished the book "Influence: Science and Practice" by Dr. Robert Cialdini. Dr. Cialdini is considered by many as one of the leading experts in influence, or what our community calls "Social Engineering". This is a powerful book, as you not only learn the techniques that cyber attackers can use against your organization, but can help you create a more effective security awareness program. What makes this book so valuable is not only is it backed by extensive academic research, but its written in a fun and easy to understand way. Dr. Cialdini identifies six principles for influence, what he calls "Weapons of Influence". What makes these principles so
Folks, just a friendly reminder that as part of #NCSAM we are hosting the first annual security awareness survey. The goal of this short, anonymous survey is to create a standardized industry report on how organizations are mitigating human information-related risks. The report will enable security awareness officers to make more informed decisions and benchmark their program to other organizations in their industry. The survey ends 17 Oct with results released in November, so act now if you want to contribute. In addition, if you take the survey you will get early access to the results. You can take the survey at www.securingthehuman.org/ncsam/survey.
Big thanks to Lance Hayden, author of IT Security Metrics, in helping us develop the survey.
At SANS Securing The Human, we recognize the important role National CyberSecurity Awareness Month (NCSAM) plays in bringing attention to the cybersecurity challenges faced by all organizations. NCSAM's activities not only help educate and inform people, but they also create a culture of sharing and helping others. Given our passion surrounding this subject, we are providing a variety of free resources to help organizations and their awareness efforts. These resources include a series of a webcasts, the first annual security awareness survey, a poster and a new tips sheet. Learn more at www.securingthehuman.org/resources/ncsam.
As we continue to grow and mature as a community, so to does our tools and resources. As such we have made some minor changes to the Security Awareness Maturity Model to better clarify what each stage is with more precise titles. The steps are the exact same to achieving each level. All we have done is better clarify what each one means. These changes are especially useful for when communicating to senior management about the status of your program and where you want to take it.
- Compliance Focused
- Promoting Awareness & Behavior Change
- Long Term Sustainment & Culture Change