How many people would get a 3/3 on the following questions without even watching a training video? 1)   Do you need a password? Yes No 2)   Should you give your password to a stranger? Yes No 3)   True or False: All passwords should be displayed in the open True False What if 100 people were asked the following question on the local news, how many do you think would honestly say yes? Have you ever had racist, sexist or ageist …

Read more »

Welcome to Fantasyland where the budget is limitless and the users pay attention to everything you say! In Fantasyland you have amazing annual training that lays a solid foundation of information for your users. You have created testing that accurately and effectively measures user understanding of the training without being too hard or too easy. You have created additional content (e.g., posters, viral videos, newsletters, lunch and learns) that calls back to the concepts taught in training and changes user …

Read more »

Percent Retained = Information acquired    *100 Information presented   Retention is one of the main goals of any successful security awareness architecture. Without retention every poster, video, or lunch-and-learn is as valuable as ‘Snooki’ teaching a lesson in ethics. No one cares nor would they walk away knowing anything new or useful. The reason retention is such big factor in security is because of the relationship between memories and the forgetting curve. (See previous blog for full explanation). In …

Read more »

Punishment is evident in all aspects of our life to everything from getting drivers to stop speeding, to getting the dog to not bark at the mailman. Because of this, it is no wonder that several go to punishment when wanting to change user behavior. While punishment is a very powerful tool- that can produce almost immediate change in behavior- it is very hard to control and very hard to maintain. For these reasons, I rarely recommend using punishment when …

Read more »

Imagine that you are the head of security awareness at an organization (not a stretch for some) and have been charged with getting people to report issues to the help desk. You decide, in your infinite wisdom, to encourage them to report issues to the help desk by giving them $1 each time they report a valid problem. The week after implementing the new reward program the number of issues reported to the help desk has increased 100 fold. You …

Read more »