What awareness is supposed to be
In a recent article that highlights why security awareness programs frequently fail, the top reason cited was poor governance. In reviewing and implementing dozens of awareness programs, I have come to believe that the poor definition and implementation of security governance is the fundamental reason for security awareness program failures.
First consider what governance is. At a high level, governance is definition of how people should perform their daily functions. Notice that this doesn’t say anything specific about security. The assumption is that the definition of behaviors embed security.