One of the big frustrations for those who deliver security awareness programmes is the lack of compliance after training.
Usually just a few problems
In my experience, there tends to be a single policy or a small set of policies that “everyone hates”. Users devise methods, sometimes complex ones, to circumvent the policy for one reason or another. When this happens, everyone is stuck. Users are frustrated with the inconvenience. Management is frustrated with the unmitigated risks. And those delivering security awareness are caught in the middle.
A lot of work can be done to perform a gap analysis to figure out what needs to be changed in the programme to increase compliance. But today’s tip is to take the the bull by the horns and look it straight in the eye.
How do you do this? By asking the users directly why they don’t comply.
Try developing an anonymous, blame-free, survey or questionnaire to ask what policies users do not like, and why they circumvent them. It might be possible that a shift in training will improve things (e.g. explain the risks involved) or a modification to the policy might be more efficient (e.g. ease the complexity or shorten delays). If nothing else, more information might help the organization develop better ways to monitor compliance in those areas to better address the risk.
Have you used something like this? Tell us about your experiences in the comment section.