Every Security Behavior Has a Cost (SANS)


To effectively manage your organization’s human risk, you need to change your workforces’ behaviors. Behaviors such as how people use email, create passwords or share information. While at first this sounds fundamental and perhaps even simple, it is deceivingly hard. One of the most common reasons so many awareness programs fail is they focus on the wrong behaviors, make secure behaviors overly complex and/or overwhelm people with too many behaviors.

Dr. Angela Sasse has famously documented every behavior has a cost, not only to the organization but to the individual. Dr. Cormac Herley has published numerous papers on how organizations focus on the wrong behaviors. Behavioral scientists such as Dr. B.J. Fogg have repeatedly demonstrated that to change behavior, you have to make every behavior as easy as possible. Ability, and not motivation, is often the biggest blocker.

Long story short, if you want to effectively manage your human risk, you need to first focus on as few behaviors as possible, and make those behaviors simple.