"Security Awareness Report - Sans"


Download "Security Awareness Report - Sans"

Download PDF

Fill PDF online

Rate (4.7 / 5) 26 votes
It’s Time to Communicate
It’s Time to Communicate
Table of Contents
Report Summary
About This Report
Measuring Security Awareness Success
What is Your Single Biggest Challenge
The Importance of Time and Security Awareness
Communication is Critical
Demographics and Additional Information
A Big Thanks
About SANS Security Awareness
2017 Security Awareness Report
Report Summary
Don’t have a lot of time? Then this page is for you. Capitalize on the key findings from the 2017
Security Awareness report - use it to help you achieve success in your awareness program.
During our research for the SANS 2017 Security Awareness report, we uncovered two main drivers
why awareness programs thrive or fail. In addition, we uncovered a surprising key finding.
Time is critical
In last year’s report, we identified lack of resources as a key blocker. This year we narrowed
that down more and discovered that time, not budget, is the critical resource for success.
What does time specifically mean? We define it as the combined effort of people who
contribute to an awareness program, measured as total number of full-time employees
(FTEs). For example, if you have two people each working half time on your awareness
program, combined their efforts are one FTE. Far too many organizations view awareness
as a part-time job, crippling their awareness team’s ability to effectively get things done.
We found the minimum number of FTEs required to change behavior at an organizational
level was 1.4 FTEs, while the most successful awareness programs had at least 2.6 FTEs
dedicated to awareness.
Communication is the most important soft skill
Last year we learned that a lack of soft skills was prevalent in the development of
awareness programs. This year, we’ve defined that as a lack in communication skills. This
includes the ability to effectively communicate to and engage employees, as well as the
ability to effectively communicate to and demonstrate value to leadership.
Women are twice as likely as men
to be dedicated
Surprise Finding!
full-time to security awareness.
Ultimately, we, the security community need to stop blaming employees as the security problem
and start blaming ourselves. It’s up to us to understand what the root causes are in failing to
change human behavior and address those issues. The rest of this report is dedicated to doing
just that. We dive deep into the first two points listed above and outline pivotal steps you can
take to address them. Additionally, we give you the opportunity to benchmark your awareness
program against others from research gathered from the community.
2017 Security Awareness Report
About This Report
Overview and Analysis
Before we begin, let’s discuss a bit of background about the third annual SANS Security
Awareness Report. The purpose of this report is to enable security awareness professionals
to make data driven decisions on how to improve their security awareness program and
benchmark their program against other organizations.
To accomplish this, we’ve conducted a global survey of security awareness professionals every
year. Last December, 1,084 qualified people from 58 different countries responded to the survey,
well over twice as many from the previous year. By qualified people we mean professionals who
help build, manage or contribute to their organization’s security awareness program.
This report is based on the results from that survey. If you have any questions or suggestions on
this report, please contact us at
2017 Security Awareness Report
We’d like to recognize several important people that contributed to the creation of this report. The
content that comprises this report was developed by the community and for the community. Check
out the full bio of each of these amazing folks at the end of this report. We’d like to especially
recognize the team from the Kogod Cybersecurity Governance Center at American University’s Kogod
School of Business.
Sahil Bansal
Zoë Bludevich
Senior Manager
Research Assistant
Information Security - Genpact
The Kogod Cybersecurity Governance
Center at American University’s Kogod
Jessica Fernandez
School of Business
InfoSec Communications Consultant
Warner Bros. Entertainment Inc.
Aria Chehreghani
Research Assistant
Mark J. Lucas
The Kogod Cybersecurity Governance
Lead System Administrator
Center at American University’s Kogod
California Institute of Technology
School of Business
Joanna Lyn Grama
Michael Giampiccolo
Director of Cybersecurity and IT GRC
Research Assistant
The Kogod Cybersecurity Governance
Center at American University’s Kogod
School of Business
Valerie M. Vogel
Senior Manager, Cybersecurity Program
Taylor Heywood
Research Assistant
The Kogod Cybersecurity Governance
Ingolf Becker
Center at American University’s Kogod
University College London
School of Business.
Jonathan Homer
Rebekah Lewis
Infrastructure Protection Specialist
Deputy Director
Information Security – Consultant
The Kogod Cybersecurity Governance
Center at American University’s Kogod
School of Business
2017 Security Awareness Report
Page of 27