A lot of knowledge is an even more dangerous thing
The other big stumbling block is that the people running security awareness programs know too much about security.
"It's not that people are stupid," said Spitzner. "The reason people are not being secure is because we, as a security community, are to blame. We don't reach out enough to them, or when we do reach out to them it's geeky, technical and overwhelming."
According to the survey, 79 percent of people leading security awareness programs have highly technical backgrounds.
"The more of an expert you are at something, the worse you are at communicating it," he said. "'Come on, do complex calculus! You guys are so stupid. It couldn't be easier. How could you not understand this?'"
To make things even worse, all this technical knowledge is often combined with a lack of communication skills.
"Yet when you think about it, security awareness is nothing more than effective communication," he said.
Organizations with successful security awareness programs typically solve this problem in a couple of different ways.
One is that they get someone from a communications department or marketing or public relations and embed them into the security team.
"This tends to be for the larger organizations," he said. "And the beauty of it is that the communications department has all the connections to push a message out."
The other approach is to take a security professional and train them in communications. It's important to pick someone who's good at social skills, he added.
"That's one of the first things I tell my students," he said. "If you don't like people, you're in the wrong class."
Sign up for CIO Asia eNewsletters.