More than 80% of security awareness professionals have highly technical backgrounds. That's great—they understand the problem—but that's bad because they're really bad at communicating the solution.

Lance Spitzner, Director SANS Security Awareness¹

Have you ever watched someone trying to communicate with a person who doesn't speak the same language, but they hope that talking louder and slower² will somehow magically help? Yeah—Security awareness communications can feel like that.

We expect a lot of our employees when it comes to making secure decisions, protecting customer and organizational information, and behaving in a secure manner. Doing all of this can require a pretty complex collection of steps; and, while humans are generally pretty good at performing complex tasks that they've practiced and care about, they are not near as good at consistently performing complex tasks when they don't yet possess the required proficiency or motivation. But that hasn't stopped us as an industry from hoping that if we simply give people the right information, they will suddenly start acting in a more secure manner.

In Chapters 1 and 2, I introduced one of the fundamental problems that we must deal with: even if someone is aware, that doesn't mean that they care. Moreover, we can put out a ton of great information aimed at helping raise the awareness of our people, but we probably don't even know if our information dissemination ...