Great post about security awareness by Douglas B. Robison, Florida Blue, a 2014 CSO40 award recipient. Here is an excerpt:
"At Florida Blue, we made the decision to update our awareness program from the standard annual CBT and a few published articles on our corporate Intranet. At the start of 2013, we committed to a mission focused on delivering meaningful, measurable, and sustainable awareness campaigns, events, and educational activities to develop and maintain a culture of personal and corporate security. To achieve this, our focus shifted and then centered on who our people are and how they learn.
"One of the ways adults approach learning is to ask the question, “What’s in it for me?” Adult learners seek relevancy. In order to make information security relevant, we needed to apply the WIFM principle, i.e, “What’s In It For Me?” Obviously, employees have a stake when it comes to understanding policies, information classifications, and the “thou shall’s” and the “thou shall not’s” such as not putting a sticky note with your password underneath the keyboard. However, to educate our employees about risks, threats and vulnerabilities, we decided to bring it closer to home, quite literally." Sounds like security awareness training done right.
See more at: http://blogs.csoonline.com/data-protection/3063/florida-blue-takes-security-awareness-personally#sthash.mYoaXi2v.dpuf
