7 reasons for security awareness failure

There is a great dichotomy in Security Awareness. Just about all of the CSOs we talk to believe that one of their top priorities is to improve their organization's security culture -- in other words, the behavior of their users. Similarly, we see article after article and study after study talking about how humans are the primary attack vector for advanced attacks. Some studies indicate that human exploitation is the key enabler in as many as 90 percent of attacks. Buzzphrases, such as protecting and attacking "Layer 8" have emerged.

Yet we periodically see the media entertain notions that challenge the value of security awareness. While there are notable security awareness failings, awareness, like all security efforts, is about risk mitigation not complete prevention and needs to be implemented properly.

[Test your awareness knowledge with CSO's Clean Desk Quiz]

While we previously spoke about the aspects of what makes security awareness programs successful, it is also important to proactively realize what might cause programs to fail. Even if you attempt to implement good practices, you have to ensure that you are not executing practices that subvert your program before you start. In this article, we address those practices that you should watch out for proactively to prevent failure. In this case, failure generally translates to major losses.

Not understanding what security awareness really is

This is probably the most fundamental reason for the failure of most awareness programs. There is a basic lack of understanding in industry as to what security awareness actually is. There is a major difference between security awareness programs and security training. Training is about providing a set body of knowledge and typically tests for short-term comprehension. Watching the standard "awareness" video is an example of such training.

The primary purpose of security awareness is to change behavior. There is no test of short-term comprehension. The only "test" is how a person behaves on an ongoing basis in the real world.

[The 7 elements of a successful security awareness program]

The mere act of providing a set body of knowledge does not change behavior. Information must be provided in a way that relates to how employees think and behave. There must be a personal association of how the knowledge would impact their actions. There is also a difference in providing an individual information on a one time basis, and delivering information in different formats over the course of time to effect change.

In short though, it is rare for an organization to actually understand and implement a program that intends to actively engage the employee with the sole purpose of striving for a better security culture.

Reliance on checking the box

Any good CSO will tell you that compliance is just a start for any security program. Security compliance standards do not guarantee security in any way; they just provide a minimum level of security countermeasures. Candidly, most compliance standards do not provide reasonable security, and it is especially true regarding security awareness.

The compliance standards for awareness are almost universally vague. They usually state something as broad as, "The organization must have a security awareness program in place." There is often nothing regarding the content or structure of such a program, and it generally falls upon the auditors to determine what is compliant. Auditors tend to know little about what constitutes a good awareness program, and tend to almost always approve the once a year, 10 minute awareness video, as long as it has a quiz at the end and you can verify that all employees have passed the quiz.

At best, these programs are examples of short-term retention, and provide no reinforcement or actual proof that people exercise the appropriate behaviors as a result of watching the video. We have heard first hand that to satisfy such standards, a group of employees will assign one person to take the training, write down the answers to the quizzes, and then provide the answers to other people within the organization, so that the other people "don't waste their time reading the slides." This situation is not unique. In short, saying your awareness program is compliant does not necessarily equate to create the desired behaviors.

Failing to acknowledge that awareness is a unique discipline

You can usually tell if a security awareness program is going to be a success or failure by the person assigned to run the program. It is not the individual's fault, as you as the CSO need to know whether or not the person has the right knowledge, skills and abilities (KSAs). As awareness involves changing behaviors, you need someone with a competence in what most technology professionals would consider "soft skills" such as communications and marketing.

As CSOs and CISOs are typically the one to assign a person to run the awareness program, they usually assign people out of their standard pool of people, who are technical. Rarely is it a person who was hired or assigned the position, because they have the right KSAs.

Since security awareness seems to involve soft skills, most security professionals believe that anyone can pick up the job. A good security awareness professional will have good communications ability, be familiar with learning concepts, understand that awareness is more than a check the box activity, knowledge of a variety of techniques and awareness tools, an understanding that there is a need for constant reinforcement of the desired behaviors, among many other KSAs.

Just as you would not want to assign a person with no experience or decent technical ability to maintain a corporate firewall infrastructure, you do not want to hire a person without any awareness experience or communications ability to run an organizational awareness program.

Lack of engaging and appropriate materials

As previously mentioned, many or most awareness programs rely on computer-based training carried out once a year. CBT can vary greatly in quality. Sometimes an organization acquires posters and newsletters. When there is a check the box mentality, lowest cost is frequently the deciding factor in determining which program to use, and the low cost option is not always very good. Additionally, the materials might not be appropriate for the organization.

Even when low cost is not the deciding factor, you need to ensure that the materials are appropriate for the culture of your organization. Sometimes the person acquiring the materials has a bias for a particular presentation style, which is only engaging to a small segment of the organizations employees. For example, awareness materials appropriate for an Internet company will not be well received by investment bankers.

More important, it is critical that multiple versions of security awareness materials be implemented, as there are generational issues to consider. Research shows that younger employees respond better to blogs and twitter feeds, while older employees respond better to traditional materials like newsletters and posters.

Not collecting metrics

Without metrics, there is no way to know whether or not a program is truly successful in achieving its goals. You do not know whether you are wasting money or proving value. You do not know whether you are decreasing the number of losses.

By collecting regular metrics, you can adjust your program to the measured effectiveness. By determining what is working and what is not, you can tailor future programs based upon lessons learned. Without such data, you are acting blindly and potentially proliferating failure.

The appropriate metrics also allow for the determination of which components are having the desired impact. They should be taken prior to starting any engagement effort, at least once during the engagement, and also post-engagement. Without such metrics, you will waste time, effort and money. For example, if no one is reading your newsletters, there is no need to continue to create them.

Unreasonable expectations

Every time there is a security awareness failing, people bemoan the value of security awareness as a whole. While it would be great if security awareness could prevent all incidents arising from the exploitation of humans, it is not realistic. No security countermeasure will ever be completely successful at mitigating all incidents. There will always be a failure.

With the collection of metrics, you can prove the effectiveness of the program, and determine the most important aspect of the awareness program; whether the program is saving more money than it costs.

Relying upon a single training exercise

Similarly to relying upon the once a year CBT, many companies have begun to incorporate social engineering or phishing simulations to their awareness programs. While there is nothing wrong with these simulations as a form of training exercise, they only address a single awareness concern.

We identified 17-24 unique awareness topics related to user behavior, dependent on the organization's industry sector. Focusing your efforts on a single attack vector leaves your organization wide open to other attack vectors. Admittedly, the simulations are used specifically because they do create metrics, which is incredibly valuable. However, they should not constitute the entire awareness program.


Most security awareness programs are doomed from the start, but it doesn't have to be that way. You can implement the successful habits that we previously identified, but you first have to remove any impediments to success. By setting the proper foundation, you will be able to implement a program that has a true return on investment and mitigates what is described as the top vulnerability exploited by advanced attacks.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler and Samantha Manke

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts