3 truths for getting started with security awareness

The process from awareness to mindful action is a journey. Not everyone starts at the same place or progresses in the same way.

The journey begins with awareness. The powerful moment when an individual realizes the impact of actions, decisions, or events. In their own context, using their own words.

Initially, awareness may not include understanding, or even a pathway to action. It serves as an awakening. It stokes the desire to learn. It reveals the *need* to change behaviors.

So where does it start?

The first step of awareness is knowing where you are. Making sense of the awareness, even without understanding. Establishing the context and considering the implications.

Security awareness starts the same way

As people connect security impacts (positive and negative) to actions, decisions, and events, it is important to establish context. They seek a mechanism to make it make sense. Ultimately, they need a way to figure out where they are.

Where someone is helps identify the journey, as well as potential steps. It starts the process of understanding, action, training.

Recognizing the importance of the first step impacts (or improves) the design of security awareness programs. It has three implications for those responsible for security awareness programs.

1. Security awareness requires individual responsibility

There is a key distinction between telling someone something, and when they realize it for themselves.

Each individual is responsible to assess their own level of awareness. They make personal decisions to move, grow, and progress accordingly.

This means our role is creating the environment and the situations that allow people to reclaim their responsibility. To stop disconnecting them and work alongside them.

2. Security awareness programs must help others assess themselves

As people take responsibility, our role shifts to helping them make sense of what they are now aware of. The context and the conversations are important. Especially the conversations.

This is also where questions guide the experience. Basic questions get the process started:

• What is your current level of awareness? How do you know?
• What is your experience? How does your experience shape your awareness?
• What is your knowledge? Does the person know about technology, but not security? Or maybe physical security, but not technology?

Note the open-ended nature of the questions. This is a double-edged sword (and something we need to explore further). The purpose is to help people assess themselves, using their language, experience, and context. 

It’s an opportunity for us to learn how to meet their needs in the process.

If we provide “the answers,” and ask people to conform, we prevent them from a proper self-assessment and risk missing out on crucial information for our efforts.

3. No one-size-fits-allPerfect Message Fallacy (PMF) is certain to derail blanket awareness communications. 

There is no one size fits all. It’s a phrase that gets a lot of lip service. When it comes to individual realizations, however, the

This is why awareness must be separated from training and development (for more insight, consider Understanding awareness, training, and development).

We need a systematic approach to help people figure out where they are in the process. It needs to provide a sense of confidence and acceptance with their current “location,” and a pathway to head down. Autonomy of experience, timing, and outcome is important (and why this is a harder challenge than often considered).

As a starting point, work to help people discover ways to assess themselves. Focus on conversations. Take notes, look for patterns, and let’s start a dialog.