The Five Secrets to Making Security Awareness Work in 2018

Monday, January 29, 2018

Perry Carpenter


So, it is the start of a new year and you are hoping to do great things with your security awareness and training program. You have a desire to move beyond simple ‘box checking’ and to actually change hearts, minds and behavior patterns. You know that it is the right thing to do for your organization and are looking forward to seeing the positive results. The sticking point, however, is that – like most organizations – you probably don’t exactly know how you are going to make it happen.

My hope with this article is to help you begin the process of creating a solid plan and foundation that will enable you to achieve a game changing level of security awareness and behavior transformation. With that goal in mind, here are the five secrets that I use to best position security awareness leaders for success:

Secret 1: Have a vision of what ‘good’ looks like for your organization

The key to implementing this secret is implementing a framework to help ensure that you are approaching things in a structured manner, rather than simply making it up as you go. Especially in large global organizations, I recommend conducting a series of interviews or quick surveys to understand how different divisions and divisional leaders view security, understand policy and best practices, and what they truly hold important. It is always interesting to see the differences and similarities that this process can help uncover. It also helps you understand if your key executives are in alignment and if there are some political or logistical hurdles that you need to work through as you build your plan.

With this background knowledge, you can begin to create your goals for the year. For this, I like the SMARTER goal setting framework proposed by several productivity gurus. There are a few different versions of the SMARTER framework—I use the Michael Hyatt version.

Secret 2: View Awareness through the lens of organizational culture. I’ll be writing about this more in the coming months. But here is the big idea: your security culture is – and will always be – a subcomponent of your larger organizational culture. In other words, your organizational culture will ‘win out’ over your security awareness goals every time unless you are able to weave security-based thinking and values into the fabric of your overarching organizational culture.

Remember the survey and interviews that I mentioned at the start of the first secret. This where you’ll really get an idea of any organizational culture gaps that you need to account for. When you find these gaps, you’ll have a few choices: 1) modify your awareness program’s expectations and goals based on the identified gap, 2) work with organizational leaders to see how you can help influence the larger culture, or 3) a hybrid approach where you modify some goals while also doing the work of trying to influence the larger culture.

Of these, option 1 is clearly the easiest – but has very little reward associated with it; it’s the ‘safe’ route. Options 2 and 3 will involve more work, politicking, and likely a bit of frustration, but offer the greatest long-term benefit for the organization and for you. This is also where you can begin to leverage things like security champion/liaison programs to help infuse security-related values throughout the organization to create consistency and sustainability.

Secret 3: Leverage behavior management principles to help shape good security hygiene. Your awareness program shouldn’t focus only on information delivery. There are plenty of things that most of us are aware of – but we just don’t care about those things. Because of this, if the underlying motivation for your program is to reduce the overall risk of human-related security incidents in your organization, you need to incorporate behavior management practices. Most of my thinking about behavior management is heavily influenced by the research by BJ Fogg, who heads-up the Persuasion Tech Lab at Stanford University. Fogg’s research has influenced technology companies around the world who seek to create engaging experiences for their users and drive specific behaviors. His behavior model and work around habit creation is located here ( and here (

I realize that most readers won’t have time to dig into the deeper details of behavior management and create their own unique programs. Don’t lose heart! Simulated phishing platforms distill some of the fundamentals of behavior management into an easy to deploy platform that allows you to send simulated social engineering attacks to your users and then immediately initiate corrective and rehabilitative action if the user falls victim for the simulated attack. Do this frequently, and you will see dramatic behavior change!

Secret 4: Focus on understanding the different personalities, drivers, and learning styles within your organization. (This goes back to the Specific and Relevant attributes of the SMARTER framework I referenced). It is critically important to understand your overall organizational context, the different types of people within the organization, regional contexts, divisional and departmental contexts, and so on. This not only helps you tailor content that will best speak to each of the groups, but can also help you avoid stepping on potential landmines.

Secret 5: Be realistic about what is achievable in the short term and optimistic about the long-term payoff

So here is where the rubber meets the road. You’ve got all of the planning out of the way, created goals, understand the nuances of your organization, and are focusing on creating real, sustainable change. Now it’s time to get started and to commit to perseverance. Many aspects of your program will be spaced throughout the year, and so it is important to commit to being consistent with your efforts. The beginning is just that – the beginning. You are focusing on training an entire organization; and that sometimes means training people how to be trained!

But here’s good news, the data show that you can see dramatic behavior change in as little as 90 days if you follow a best practice of combining security awareness content (e.g. computer-based learning modules) with frequent simulated phishing testing conducted at least monthly. In a recent study, we looked at the progress of more than six million accounts across nearly 11,000 organizations over a 12 month timeframe. Organizations that followed the best practice that I just mentioned saw their employee’s Phish-prone percentage drop by 50% in just 90 days – from a 27% baseline Phish-prone percentage down to 13.3%. And consistent training brought that down even more dramatically at the 12 month mark… from that initial 27% baseline all the way to 2%.

Are you ready to make 2018 a break-out year for your security awareness program?

About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform.

Possibly Related Articles:
Security Awareness Security Training
Phishing Security Awareness security incidents awareness program
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.