To effectively manage your organization's human risk, you need to change your workforces' behaviors. Behaviors such as how people use email, create passwords or share information. While at first this sounds fundamental and perhaps even simple, it is deceivingly hard. One of the most common reasons so many awareness programs fail is they focus on the wrong behaviors, make secure behaviors overly complex and/or overwhelm people with too many behaviors.
Dr. Angela Sasse has famously documented every behavior has a cost, not only to the organization but to the individual. Dr. Cormac Herley has published numerous papers on how organizations focus on the wrong behaviors. Behavioral scientists such as Dr. B.J. Fogg have repeatedly demonstrated that to change behavior, you have to make every behavior as easy as possible. Ability, and not motivation, is often the biggest blocker. Long story short, if you want to effectively manage your human risk, you need to first focus on as few behaviors as possible, and make those behaviors simple. A common example of how organizations get this is wrong is passwords. Too many organizations overwhelm and cripple their workforce by teaching the wrong behaviors, specifically password complexity or regular password change. These two behaviors cause far more harm than good. Instead organizations should be focusing on passphrases, 2FA and password mangers.
So what are the fewest behaviors that mange the greatest amount of human risk? If you can effectively change only five behaviors in your workforce, what are those behaviors going to be? This is where you need data and expertise to understand threats and risks, and how those determine what behaviors to teach. If you are looking to build your own training program be sure you are talking to both your Security Operations Center and/or your Incident Response team, this is one of your best sources of data. At SANS Security Awareness we leverage a team of experts to help us understand what the most common threats are, how those threats drive risk and the key behaviors to manage those risks. That expertise includes over 50 of SANS Institute's top instructors, partnerships with organizations such as the Internet Storm Center, and a community of over 1,000 security awareness officers.
There are many elements to building a high-impact awareness program, from learning theory and effective communication to impact metrics and maintaining leadership support. However one of the the first steps to building a strong awareness program is understanding what are the key behaviors you need to change, and how to make those behaviors as simple as possible.