If someone has a lack of knowledge, you need to provide them the knowledge in the formats that most effectively impart that knowledge. That is not as simple as showing people a video and testing them on their short-term memory. You need to ensure that they integrate that knowledge into their behaviors, which is the actual goal of a real awareness program.
As far as carelessness and inattentiveness go, that is more difficult to address. It implies that users know what to do, and would do it if they were thinking clearly, but they are not just paying attention to what they are doing. In this case, you have to create constant reminders so they are paying frequent attention to the task at hand. Likewise, you can increase the motivational component of doing the proper actions. In other words, highlight the importance of what they are doing. For example, a normal person will clearly be more attentive to holding a baby securely in their arms than they might be to holding a sponge. They have a greater sense of responsibility with the baby, and are naturally more attentive.
Then there is addressing people who ignore advice. For example in the IT world this might include people who reuse their personal password for business accounts. This was apparently the root exploit for how the North Korean hackers obtained administrator access to the Sony network. To do this there must be an increase in motivation.
Good awareness has three components: knowledge of what the problem is, the solution to the problem, and motivation to enact the solution. Of the three components, the motivation is where most awareness efforts fail. All too frequently, awareness professionals and the programs they create act like knowledge of the problem is its own motivation. That is rarely the case. The fact is that most people know what to do, but there are more than enough people who fail to choose to do the right things. And I want to be clear that while there are some users who choose to purposefully flaunt the rules, for the most part, most users are just not provided enough information to choose to take the proper security actions over doing what is easiest to do.
I have made it a point to implement awareness programs that take into account improving the user environment to reduce the opportunity for them to commit errors. Those programs are then supplemented with constant metrics collection and constant research to improve the awareness programs. However, as an awareness professional, I realize that awareness is a business problem and it needs to be treated as such.
Airline accidents, workplace injuries, accounting errors, etc. are all considered business problems with large costs associated with them. As such, companies make substantial investments in studying why human errors occur and make large investments to reduce the likelihood of future errors. Besides the personal projects I have been involved with, I have never seen a similar process enacted elsewhere. I see companies hit with phishing, and then do phishing simulations, which do not improve the environment that allowed phishing to be successful, and generally do not address the root problem. However, there are so many other issues to address as well.
Sign up for CIO Asia eNewsletters.