Security awareness programs that work against human nature will fail

Carpenter said IT leaders should take stock of where the organization is in terms of security awareness. To get a sense of where everyone is, IT leaders can interview different divisions, leaders and employees, and study the work environment, he said.

Perry Carpenter

“Your security awareness program may look similar to somebody else’s, but it should not look like an exact carbon copy of somebody else’s,” Carpenter said. Each organization has subtle — or not so subtle — differences depending on personalities, location, language, demographic, et cetera, he added.

Does your organization have a lot of Millennials? Then viral videos might work really well for spreading security awareness in your organization. But then you run the risk of alienating your older workers — it’s a fine line, Carpenter said. Figuring out employees’ strengths is critical to achieving right balance.

“Find out what behaviors people are struggling with and what people naturally do well when it comes to security,” he said. “If you have a population of people that are naturally doing the right thing, you probably don’t need to train them on that — they’ll feel talked down to.”