Why conflating security awareness beyond this definition reduces the effectiveness of your program

Ever wonder (or perhaps curse) why funding and measuring security awareness programs is such a struggle?

It’s because the term “security awareness” is misused and conflated into something far bigger, more complicated, and harder to obtain. Using the wrong definition of awareness increases the cost and effort necessary to influence measurable change.

The key to success is to use the right definition. Push back on colleagues, vendors, and solution providers who conflate. An effective awareness program has one outcome. Focus energy on achieving that objective (which likely means some change).

The only definition of “security” awareness that matters

Awareness, a universal concept, is simply: the individual realization of the consequences of an action, in their own context of intention and impact.

It boils down to an individual connection between actions and impacts (good and bad). Adding the word “security” simply narrows the focus on impacts and actions related to protecting people and information.

Why conflating security awareness increases friction in communication

Awareness is realizing the impact of actions. When someone is aware, it does not mean they:

• Understand
• Know what to do
• Actually do it

Suggesting that security awareness is somehow greater than awareness — that it means people know, understand, and act diminishes the term — increases friction in communication. It sets the program up to fail.

Here’s why: Moving information to understanding and guiding action exceeds the scope of an awareness program. While it may start with awareness (read more here), it takes an executive champion and often requires structural changes in the organization. It’s an entirely different challenge with different outcomes. 

Because of the confusion, the natural (and correct) action is to reduce the costs and the burden on others. That means less funding and support for misdefined security awareness programs.

The chief outcome of a successful security awareness program

A successful security awareness program has only one outcome: people report suspected incidents. That’s it. No requirement to understand the incident. No expectation that individuals know what to do beyond reporting.

That means a security awareness program needs to connect impacts to actions. It needs to translate complexity into understanding. It must use the language and context(s) of the audience(s).

Individuals need to feel comfortable reporting things that “don’t seem right.”

Caveat: this often means considering – and changing – the way people report incidents. Think about the traditional way such calls are handled:

• Do people know when and what to report?
• Do they understand how to contact people? Is it email, phone, else?
• What does the process entail?
• Will they be scolded, mocked, or ridiculed?
• What sort of involvement does reporting an incident have on them?

Steps to make those changes coming soon.

Start with the right definition to get results

When anyone suggests awareness is anything other than connecting actions to impacts, they’re conflating and harming the credibility of the entire industry. Call them on it. Stop doing it yourself.

For now, the first step toward improving your security awareness program is to use the right definition. Set the proper vision for your program. Then establish the right outcome and consider how your current efforts are aligned to achieve that objective.

Take friction out of communication to make it easier to get funding and support necessary for change.