I wrote this post to focus on the confusion about the role of security awareness in behavior change. The reality is that while awareness is an essential step, it is not enough to change behaviors.
Awareness, security or otherwise, is an individual realization of impact (see proper understanding of awareness). Awareness does not require nor imply understanding. Awareness is the connection between an action/event and the impact, in context. That’s it.
As an industry, we get into trouble when suggesting security awareness is when people know and do the right things. It skips over important steps and creates false expectations. That leads to a whole host of challenges.
However, awareness can lead to behavior change. In fact, it’s the first part of the chain.
For example, as my awareness grows in my own yoga practice, my experience allows me to draw better and quicker connections to the impacts I feel. But even with my increased awareness and a general desire to push and challenge myself, I don’t always try new poses or progressions. Some things take a while before I try them. Further, even when I know the right action is to rest or modify, I don’t always do it.
Awareness, by itself, isn’t enough.
Before I’m ready to trying something new, I naturally seek a better understanding. I also need a certain level of comfort — the space, myself, the teacher, or some combination of factors — before I’m ready to seek help, try something new, or learn a new pose/skill.
Whether learning a modification, a new pose, or asking deeper, broader questions to help me understand and advance my practice, awareness is the trigger that leads me to questions and learning.
Keep reading to find out how this works in security awareness and set the stage to change behaviors: http://blogs.csoonline.com/security-awareness/2707/how-security-awareness-leads-behavior-change