"The Challenge of Keeping It Short"

A common misconception of security awareness is creating content is simple. Just pick some random topics, communicate those random topics, and you are done. To be dead honest, that works for compliance. However to effectively reduce human risk, you have to first identify the the greatest human risks to your organization and focus on just those risks. This requires prior planning and hard work. However, this is only half the battle. Even once you have identified the key human risks, then comes the challenge of identifying what are the key learning objectives that address that risk, what behaviors do we need to change? A seemingly simple topic like passwords may seem at first to have only one or two behaviors, but after some research can quickly grow into 10 or 15 behaviors. What you thought would only take a couple of minutes to teach can take 20 minutes to teach, and that is only one topic!The biggest challenge I’m running into with security awareness is not …

Reposted from SANS. View original.