Measuring Security Awareness Success: For Your CISO — and Your Organization

3 Common Mistakes You’re Making with Your Security Awareness Program 

Share with your network!

Despite the vast budget and resources invested in cybersecurity, breaches are still commonplace and increasingly impactful. When these incidents are analyzed, there is a common factor—the controlling technology is undermined by human action. This can include staff handing out credentials, facilitating unauthorized requests, falling for spoof emails and running malware at the behest of an attacker. 

When the World Economic Forum states that 95% of security breaches occur because of human action, it is clear that security awareness throughout your organization is imperative. Yet despite years of activity, more still needs to be done. 

Here are some things you may be doing that will hinder your security program—and, more importantly, the steps you can take to fix them. 

Mistake 1: You have named your security program incorrectly 

As simple as it sounds, you may have chosen a poor name for your security program. 

We all focus on security awareness and build “security awareness programs” for our businesses, but that isn’t what we really want. Our true aim is more than just to improve awareness—it is to change behavior. Calling our program “security awareness” encourages us to focus on the wrong outcome. After all, if our real aim is to stop people smoking, we wouldn’t call our initiative the “be aware of the risks of smoking campaign.”   

This has an easy fix: Change the name of your program. Decide on the outcome you want and name your program appropriately—such as 'Security Behavior Change Program’ or ‘Build Security Culture Program.’ You will be amazed by the difference such a small change can make because the new title will be a constant reminder of what you are actually trying to achieve. 

Mistake 2: Thinking that ‘lots of awareness’ leads to culture 

The second mistake is related to the first. All too often, programs decide they can change the culture of the organization by increasing the amount of awareness training that staff undertake. That won’t happen. Culture is not the same as “lots of awareness.” 

There is an “ABC” maturity model that I use, which stands for awareness, behavior, culture. Each is a step that builds on the previous one. Critically, there is a pivot at each step—a change of focus that’s required to transition from one level to the next. 

Let’s assume we already do awareness. To pivot to behavior, you need to focus on making sure that your staff members understand the consequences of cybersecurity, both personally and professionally. Once they have awareness and motivation, they are much more likely to display the correct behavior. (There is science behind this simplified approach, and I recommend you check out Professor BJ Fogg’s behavior model.) 

Once behavior is on the road to achievement, then culture becomes your goal. The pivot for the culture step is the creation of a wide-ranging perception that everyone around the business cares about security. Note that I use the word “perception.” It doesn’t have to be true initially, as this is a real case of “fake it ‘til you make it.” 

Create that perception by tuning your communications plan to ensure that security messages arrive from across your organization—from executives, from receptionists, and especially from middle and line managers. Indeed, these messages should come from almost everyone except the chief information security officer (CISO).  

This will build a perception in each staff member that everyone around them cares about security, and that will create peer pressure for them to act in similar ways. This is the crucible of culture. 

Mistake 3: Using negative consequences as a primary motivator 

The key step to mature to the behavior level mentioned above is to create a motivation to change behavior. Motivation can be encouraged in various ways. One approach is to create a fear of punishment or embarrassment if staff make an error or fail a security test. 

Many security professionals have strong opinions on this matter. Some believe that negative consequences must be avoided at all costs. Others use them as their first and easiest motivational tool. Both are a mistake, and the best path forward lies between the two. 

Security teams that are swift to punish will lose the support of the masses and become perceived as the organizational traffic cop. You may be providing a service, but at the expense of agility, flexibility and pragmatism—all things modern organizations require in abundance. It will make staff less likely to approach you with concerns, vulnerabilities and ideas. Each punishment places another brick in your ivory tower. 

However, the organization I’ve seen with the lowest click rate for their simulated phishing tests had both a negative consequence model and an accessible and well-liked security team. How did they manage that? It’s all about timing. 

When first introducing a consequence model, focus it solely on the reward for doing the right thing. Only after the organization moves from the behavior maturity level to the Culture maturity level should the negative consequence model be considered.  

At that point you have a solid level of support across the business, and the negative consequence model can be positioned as the last stage, implemented to motivate those few laggards not yet aligned with the culture that the rest have embraced. The implementation is the same, but the messaging is completely different. 


In an age where identity is the new attack surface and people are so fundamental to our cyber defense, security culture becomes an essential control that every CISO should be prioritizing. Addressing these three common issues will make a remarkable difference to your security program. And it will help lower the risk of a successful cybersecurity breach via your user base.  

Find out more about Proofpoint security awareness training and get started driving behavior change today.