• United States




6 reasons why awareness programs fail even when following best practices

Oct 24, 20174 mins
Data and Information SecurityIT Training Passwords

Taking into account the traditional critical success factors of security awareness may not be enough to create a security aware environment.

While we still have some way to go, thanks to initiatives such as Cyber Security Awareness Month and the relentless effort of many Chief Security Officers and other security professionals, security awareness programs are becoming a well-established practice in many organizations. Yet, after all that effort, people still remain a key vulnerability and we can only conclude that security awareness programs are not always as effective as we hope for.

Even more troublesome, is that I have seen unsuccessful results in what I would consider ‘best practice’ awareness programs. I.e. programs that took all the traditional security awareness critical success factors into account, such as:

  • Obtaining executive management support
  • Inclusion of internal communication team
  • Making it “interesting”
  • Using leading marketing and learning techniques
  • Branding through a clear and distinct identity
  • Implementing behavioral accountability

These success factors were also identified in a book on Security Awareness that I wrote 13 years ago. Clearly if awareness programs are failing, there is a need to revisit these, and where needed amend them or add some more nuance.

To do that we need to first have a look at the root causes of why awareness programs are failing or less successful, even when doing by the book (mine or another). Below, I summarize the most important ones that I have seen or personally experienced over the last years.

1. Massive competition from other communication campaigns

Security awareness is just one of many corporate communication campaigns. The awareness messages often get lost between the many other communications. In companies that strongly govern communication campaigns, there may even be long periods where there are hardly any slots available for sending more than one security awareness communication per year.

2. Learning fatigue

Not only are there many other communication topics, there are also many other awareness and learning topics. Corporate values, corporate strategy, corporate social responsibility, privacy, code of conduct, quality, diverse compliance topics, etc. to name just a few.

Your target audience has become numb for the many awareness messages and training programs, and just pass by them or sit through them without truly absorbing them.

3. General disinterest of the target audience in the topic

Many people still do not understand that security is a topic of relevance for them. As such, the messages are being ignored and mentally filtered out as noise. Security has an abstract meaning to them. It is hard for people to understand how to connect their personal behavior to eventual outcomes. They also don’t believe it is their direct responsibility. While awareness tries to overcome that, it is hard to break through that first major barrier of making clear that it is of interest. Because only then will people start to pay attention to the message.

4. Digital learning platforms are only partially effective

Web based learning and other digital learning platforms are good ways to reach many people and to track and trace participation. They have therefore become the core of many awareness programs. But, even when all forms of interactivity and innovation are being added, they remain ineffective for audiences with lower motivation and interest. And as established above, we are dealing with such an audience.

5. Security resources are not necessarily good communicators

Much of the content needed for awareness is intended for non-specialized, non-technical and often non-interested audiences. Writing such content in a way that is understandable and appealing to such target audience requires a specific set of skills and expertise. Security professionals may have excellent analytical, security incident response and / or managerial skills, but may not have time nor the skills to create content that is readily consumable for awareness purposes.

Compensating with external resources or off-the-shelf awareness materials helps, but often makes the content bland and not specific enough to the organizational context.

6. We rely too much on people being able to do the right thing

The technologies and threats change constantly, it is hard for end-users to keep track of what secure behavior means in an ever-changing environment. We cannot expect them to become experts. Additionally, even if we can change the behavior of most, we must consider that computer security is in often only as strong as the weakest link.

Don’t get me wrong, I am still a firm believer in the need for security awareness initiatives. However, we do need to take these inherent challenges into account, and do things differently. In a next blog, I will provide some insights on how you can overcome these hurdles.


Tim Wulgaert is a consultant, advisor, presenter and author in the field of information security and privacy. He has over 15 years of experience in developing, reviewing and improving information security strategies, policies, awareness campaigns, organizational design and other related security management topics. He has helped companies from 15 to +150.000 employees across the globe and in many different industries, including heavy regulated ones such as banking, telecommunications, healthcare and pharmaceuticals.

Currently, Tim is working on is an initiative to build a security management content platform that aims to provide security and privacy professionals with hands on security policy, process, awareness and other related security management content. In addition, Tim is supporting and advising CIOs, Chief Security Officers and Data Privacy Officers on selective projects and initiatives (via FJAM consulting).

Tim has worked for and with different big 4 audit firms, strategic management consultants as well as niche security consultants and integrators. Between 2012 and 2017 he also was the Operations Manager, Transition Lead and overall “right-hand” of the CISO of one of the largest pharmaceutical companies, managing a team of +300 security and risk people across the globe.

He can rely on extensive experience in discussing and presenting strategic IT and Information Security topics with / to C-level management of both SMEs and multinationals.

Tim is the author of “Security Awareness: Best Practices to Secure Your Enterprise”, ISACA, 2005 and co-author of the Belgian Cyber Security Guide (Dec 2013, ICC Belgium and FEB/VBO). He also co-authored EY Mobile Money 2011 and helped developing and writing EY’s 2008 Revenue Assurance Survey.

Tim is a regular guest speaker on topics such as security, privacy and social media. In the past, he also held presentations and wrote articles on mobile money, revenue assurance and fraud management, as well as on IT audit and business process modelling. Between 2006 and 2013, he was a guest professor at the Master in Computer Audit of the University of Antwerp Management School and the Executive Master in ICT audit & Security of the Solvay Business School.

The opinions expressed in this blog are those of Tim Wulgaert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.