Blog: SANS Securing The Human

Blog: SANS Securing The Human

Updates to Security Awareness Maturity Model

As we continue to grow and mature as a community, so to does our tools and resources. As such we have made some minor changes to the Security Awareness Maturity Model to better clarify what each stage is with more precise titles. The steps are the exact same to achieving each level. All we have done is better clarify what each one means. These changes are especially useful for when communicating to senior management about the status of your program and where you want to take it.

  1. Non-Existent

  2. Compliance Focused

  3. Promoting Awareness & Behavior Change

  4. Long Term Sustainment & Culture Change

  5. ...

When Employees Don't Change Behavior - Ask Why

As you roll out your security awareness program, or deploy training to change specific behaviors, be prepared for not everyone changing their behaviors. Instead of becoming frustrated by failures or blaming employees, use this opportunity to learn and improve. Ask the individuals why they did not change their behavior. By using a Behavior Model such as the Fogg Behavior Model, you will also know what questions to ask. Specifically

  • Motivation: Is the individual motivated to make the change? Perhaps they do not understand the importance to the organization or themselves? Or perhaps while they do understand the importance, they are more motivated to get the job done.

  • Ability: I feel this is the variable we often forget and probably the most

Instructional Design vs. Behavior Design (Which is Better for Awareness)?

Traditionally in the field of security awareness, trainers have looked to the field of instructional design on how to develop their security awareness training. Models such as ADDIE provide a framework that build on how people think and learn. While such models are important, these may not be the only ones that apply to security awareness. Keep in mind, a large part of many awareness programs is not to teach people new skills but to change their behaviors. For example, people already know how to use email, we just want them to double check the TO address before hitting the send button. As such, I think we need to move beyond just instructional design models and also be looking at behavior design models. For example with behavior design, motivation and ability are key. With ability, perhaps our goal should not


Behavior Model - Helps Explain Why We Can Be So Bad at Awareness

Recently I attended the Human Behavior Design course by Dr. BJ Fogg. One of my key take aways from the course is his Behavior Model and how it applies to security awareness training. By understanding this simple model (I highly recommend you take five minutes to check it out), you begin to understand why so many of our assumptions about awareness can fail. According to the model the key variables to changing behavior are Motivation and Ability, the greater you increase either variable the more likely you change a behavior. The problem is most security


Security Awareness Summit Roundup

Folks, we wanted to share a friendly follow-up on the Security Awareness Summit this week. We had over 130 security awareness officers from around the world and numerous industries come to share their lessons learned. We designed the summit for maximum interaction, to include a 'show-n-tell' table where people could share their awareness materials, attendee lightning talks, long breaks and round tables organized by industries. In addition we had six amazing speakers: Cheryl Conley from Lockheed Martin, Lance Hayden from Cisco, Cathy Click from FedEx, Jon Homer from Idaho National Labs, Dan deBeaubien from MTU and Matt Beland from Davis Wright Tremaine. Over the next couple of weeks I'll be posting more about each of the talks and the Summit. You can download their presentations from

In addition, we will be holding several security awareness summits next year, to include