Behaviors are the actual behavior a person displays. They are what they are. For the purposes of this article, it does not matter whether the behavior is the desired behavior. The behaviors are the actions that the person takes given all the motivators.
Then there are the consequences. Consequences are the results of the actual behaviors, and have been discussed. However what is important is that while antecedents drive behaviors, so to do consequences. The stereotypic example is that if you burn your hand once on a fire, you know not to do that again.
The 80/20 Rule
As should be obvious, consequences, such as burning your hand on a fire, are much more impactful than telling someone that the fire is hot. For adults, there is the frequent statement by restaurant servers that a plate is hot. Many people hear that, but assume that they are just exaggerating. It is only when you feel how hot the plate is that you behave more cautiously.
Studies indicate that antecedents account for 20% of behavior, while consequences drive 80% of behavior. This is a critical issue to understand, and a major reason for awareness programs failing.
I previously described why awareness programs fail. To put the information in context for this article, it comes down to the fact that the antecedents are poor, and the programs lack the appropriate positive or negative consequences.
Putting the ABCs to Use
Obviously, it would not hurt to put out more relevant information. Putting out the information in multiple formats, so that the information is more likely to be received in a desirable form, is also a good thing. You can review the past article on how to create a successful awareness program as well.
At the same time, you need to look to create the appropriate consequences. I previously discussed gamification, and how to implement that in your organization. Gamification, placed into this context, is creating positive consequences for consistently exercising the desired security behaviors.
Putting together small contests or activities that are short of gamification programs can also be useful.
At the same time, you should approach your organization to see what support you can get to implement both positive and negative consequences related to your organization's overall security program. Security Awareness supports the overall security effort, so your entire department should be supportive of efforts that have people adhering to the appropriate policies.
Perhaps the strongest consequence available to an awareness program is your organization's security culture. Peer pressure is the most impactful tool that you have in implementing behavior. When I was at NSA, if a person did not wear their badge, all of their coworkers would call them out. If you left your desk with classified materials vulnerable, your manager would have a talk with you the next day, if it wasn't your coworkers.
Sign up for CIO Asia eNewsletters.