It is very difficult to measure the return on the investment in security awareness and training. What is all to clear is the cost when things go wrong and it can then be attributed to user errors resulting from poor security awareness and training.
A number of organisations are moving away from the traditional methods such as poster campaigns and CBT training. Whilst they still have value, many organisations are turning to psychologists rather than security professionals to decide what works best for their culture. They are attempting to identify triggers and associations to improve the security behaviour across the organisation.
Some of the techniques employed are not really that sophisticated but employ the basic human principle of rewarding good behaviour.
Some cleaver ideas include raising money for a nominated charity where money is donated every time an employee watches a predefined security educational video. For one organisation this not only raised significant sums of money for charity but also improved security awareness.
Another method known as the countdown method targets our increased use of social media and interrupts some random on-line users within an organisation and adds a timer before a message is posted encouraging the user to review what has been written. It provides them with the opportunity to consider and rethink the messages they send.
Another scheme has taken into account the increased love of mobile devices and gaming and has turned the concept of awareness and training into a game. These interactive games use our competitive nature and involve teaching a particular security concept. It then puts the user into scenarios where they can apply the concept. The player competes against the clock and receives points for every correct behavior scored
It has also been shown that even a simple thank you from management to employees who have demonstrated security-minded behavior has been seen to have a marked effect in improving behavior.
We have touched on this topic before highlighting initiatives like the Analogies Project designed to align key security messages with things that resonate in our personal lives outside work.