ABSTRACT
The effectiveness of an information security program ultimately depends upon the behavior of people.
Behavior, in turn, depends upon what people know, how they feel, and what their instincts tell them to
do. Although an awareness training program can impart information security knowledge, it rarely has a
significant impact on people’s feelings about their responsibility for securing information or their deeper
security instincts. The result is often a gap between the dictates of information security policy and the
behaviors of our people.