Successful Security Awareness programs hold employees' hands to the fire

While consequences have a negative connotation, consequences contribute to 80% of the success or failure of Security Awareness programs.

When I ask CSOs what consequences there are for security-related behaviors within their organizations, they almost balk at the idea. They assume that I mean punishments, and that they rarely have the authority to strictly enforce any punishments. I have to point out to them that there are consequences for all actions; good, bad or neutral.

Clearly, punishment is a negative consequence. It can range from being called out to being fired. Of course, sometimes the offender creates their own negative consequences by causing harm to themselves. Of course, how severe the punishments are impacts the usefulness. Frequently when people bypass security measures, they are rewarded with fewer impediments to do their jobs. Sometimes the rewards are part of the organization's security program. More frequently, whether or not a person follows a security policy has no impact.

[What are CISOs' top security concerns and strategies?]

One of the most effective Security Awareness consequences that I experienced was when I began work at a government contractor many years ago. My first day on the job, I forgot to lock up my burn bag. A burn bag is literally a bag where you are supposed to place any classified materials you want to dispose of. Before you left the office for the day, you were supposed to place your burn bag in a locked drawer or similar storage. One day, I apparently left my burn bag out. The next morning, I received a call from the physical security manager, who wanted me to come to his office.

I walked in and he held up my burn bag and asked if I was missing anything that morning. He went on to tell me that the security guards do rounds, and they confiscate any vulnerable information. I said, "Thanks," and assured him it would never happen again. And it didn't. The consequence of being called into the his office was more than enough for me to remember to lock up my burn bag in the future.

Also a contributing factor to consequence is the probability that there will be a consequence. For example, even if there are clearly negative consequences, if the likelihood of being punished is negligible, it negates any negative consequence. If you have rewards in place, but the rewards are not frequently distributed, then they are moot. Consequences are only as useful as their consistency. In my case, I knew that the guards did regular rounds, so the probability of negative consequences was high.

The ABCs of Awareness

There are the ABCs of behavioral science; specifically antecedents, behaviors, and consequences. Antecedents are precursors to behaviors. In Security Awareness, antecedents are typically information. It can take the form of briefings, posters, newsletters, activities, or whatever else is in a traditional awareness program.

[6 essential components for security awareness programs]

Behaviors are the actual behavior a person displays. They are what they are. For the purposes of this article, it does not matter whether the behavior is the desired behavior. The behaviors are the actions that the person takes given all the motivators.

Then there are the consequences. Consequences are the results of the actual behaviors, and have been discussed. However what is important is that while antecedents drive behaviors, so to do consequences. The stereotypic example is that if you burn your hand once on a fire, you know not to do that again.

The 80/20 Rule

As should be obvious, consequences, such as burning your hand on a fire, are much more impactful than telling someone that the fire is hot. For adults, there is the frequent statement by restaurant servers that a plate is hot. Many people hear that, but assume that they are just exaggerating. It is only when you feel how hot the plate is that you behave more cautiously.

Studies indicate that antecedents account for 20% of behavior, while consequences drive 80% of behavior. This is a critical issue to understand, and a major reason for awareness programs failing.

I previously described why awareness programs fail. To put the information in context for this article, it comes down to the fact that the antecedents are poor, and the programs lack the appropriate positive or negative consequences.

Putting the ABCs to Use

Obviously, it would not hurt to put out more relevant information. Putting out the information in multiple formats, so that the information is more likely to be received in a desirable form, is also a good thing. You can review the past article on how to create a successful awareness program as well.

At the same time, you need to look to create the appropriate consequences. I previously discussed gamification, and how to implement that in your organization. Gamification, placed into this context, is creating positive consequences for consistently exercising the desired security behaviors.

Putting together small contests or activities that are short of gamification programs can also be useful.

At the same time, you should approach your organization to see what support you can get to implement both positive and negative consequences related to your organization's overall security program. Security Awareness supports the overall security effort, so your entire department should be supportive of efforts that have people adhering to the appropriate policies.

Peer Pressure

Perhaps the strongest consequence available to an awareness program is your organization's security culture. Peer pressure is the most impactful tool that you have in implementing behavior. When I was at NSA, if a person did not wear their badge, all of their coworkers would call them out. If you left your desk with classified materials vulnerable, your manager would have a talk with you the next day, if it wasn't your coworkers.

In any environment, you pick up the daily patterns of your coworkers as an organizational security norm is created. So if you want to create ubiquitous consequences, try to change group behaviors. Depending upon the behaviors and the rewards, you might find it is easier to influence a group instead of individuals. And that in turn influences individuals.


I would love to recommend that you put 80% of your awareness efforts into developing and implementing better consequences, however the reality is that you need more support than you are likely to receive. In that case, you need to make due with creating more effective information, and implementing consequences as they arise.

The primary reason for this article is that I find few CSOs and the people responsible for implementing awareness programs are aware of the impact that consequences have on the success of not just an awareness program, but on the entire security program. When you find that you are not getting the results you want with regard to organizational behavior, you need to stop and consider if you need to divert some resources toward consequences. Again, without even considering the issue, you are eliminating 80% of the probability of success.

Ira Winkler, CISSP can be contacted at

Join the CSO newsletter!

Error: Please check your email address.

Tags securitysecurity awarenessCSO

More about NSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts