Security awareness teams aren't getting the support they need to be successful, according to the SANS Institute. But some unexpected factors can cause programs to fail as well, including a focus on compliance -- and too much security expertise on the team.
"Most organizations actually have a security awareness program," said Lance Spitzner, director of the Securing the Human Program at the SANS Institute, looking back at what the industry learned in 2016. "Yet we continue to have problems."
Take compliance, for example, he said.
A common problem of immature security awareness programs is that they come out of a compliance requirement.
"It was developed by auditors wanting to check a box," he said. "The program doesn't change behavior because it wasn't designed to change behavior."
That doesn't mean that compliance isn't important, he added.
"Don't get me wrong, it is important," he said. "But ultimately we want to change behavior and to change the culture."
This requires that the security awareness program be designed to help people change bad security habits, and to measure those changes.
It's no surprise that many security professionals don't believe that security awareness programs work -- they're not designed to.
This year, companies looking to move their security awareness programs from the compliance stage to where they actually improve security should start by identifying the human risks that make the biggest impact on the company, which behaviors affect those risks, and then measuring those behaviors.
"For example, phishing represents a high human risk," he said. "And it's a good metric, because most organizations care about it, and it's a great example of how effective awareness training can be."
When a company runs its first phishing awareness test, typically 30 to 60 percent of employees will fall victim, he said. After a year of training, that number can be lowered to less than 3 or 4 percent, he said.
"And the ones who do click, will realize that they shouldn't have clicked on it, and they'll report it," he said. "So you're not only developing a human firewall, but also a human sensor."
Some security people say that someone will always click, so there's no point in these kinds of programs.
"This is designed to reduce risk, not eliminate it," he admitted. "But all technologies reduce risk -- they don't eliminate it. And it's a very effective control, and you see a very dramatic drop in incidents."
In fact, phishing assessments were the most common metric used by companies, according to a survey the institute conducted last year, followed by the number of security violations, and the number of infected devices.