Beyond Information Security Awareness Training: It Is Time To Change the Culture

The effectiveness of an information security program ultimately depends upon the behavior of people.

Behavior, in turn, depends upon what people know, how they feel, and what their instincts tell them to

do. Although an awareness training program can impart information security knowledge, it rarely has a

significant impact on people’s feelings about their responsibility for securing information or their deeper

security instincts. The result is often a gap between the dictates of information security policy and the

behaviors of our people.