The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.

Kevin Mitnick, Congressional Testimony, March 2, 2000

Let's start with a simple question: why are you implementing a security awareness training program? That question may seem overly basic, but having helped thousands of security leaders with their programs, I can tell you from experience that most people haven't stopped to analyze what they are really trying to accomplish. Instead, they know that they should “do some security awareness,” but they don't really know what that means, and they don't know where to start. Add to that the fact that most people tasked with running a security awareness program have several other job duties on their plate, and you can see why it's so easy to end up with programs that are ineffective. They end up creating something that may help serve a bare-bones compliance purpose, but then the stack of competing priorities mount so high that the awareness program manager is forced to move on and deal with the other tasks on their plates. In the back of their ...