In any environment, you pick up the daily patterns of your coworkers as an organizational security norm is created. So if you want to create ubiquitous consequences, try to change group behaviors. Depending upon the behaviors and the rewards, you might find it is easier to influence a group instead of individuals. And that in turn influences individuals.
I would love to recommend that you put 80% of your awareness efforts into developing and implementing better consequences, however the reality is that you need more support than you are likely to receive. In that case, you need to make due with creating more effective information, and implementing consequences as they arise.
The primary reason for this article is that I find few CSOs and the people responsible for implementing awareness programs are aware of the impact that consequences have on the success of not just an awareness program, but on the entire security program. When you find that you are not getting the results you want with regard to organizational behavior, you need to stop and consider if you need to divert some resources toward consequences. Again, without even considering the issue, you are eliminating 80% of the probability of success.
Sign up for CIO Asia eNewsletters.