As organisations recognise the need to educate their employees on security beyond a simple online training module, new challenges present themselves. Although implementation of formal security education and awareness programs are increasing, it is not something that requires a unique new approach – it is essentially a change management program. One well-known method for change management is the PROSCI ADKAR® model which identifies five critical steps, all of which must be achieved to realise change:
- Awareness of the need for change;
- Desire to participate in and support the change;
- Knowledge of how to change;
- Ability to implement required skills and behaviours;
- Reinforcement to sustain the change.
With this model and security communications in general, there are sticking points to overcome. Firstly, how to simplify the knowledge required without dumbing it down. Second, how much information does an individual or group need. In security we think in terms of risk management but there are too many…