Security Awareness Programs

These days just about every organization has a security awareness program, and yet people are still the weakest link. Why? How could this be? People are generally good natured. They want to help. This simple characteristic is what makes social engineering such an excellent tactic even today. The tactics are simple. Ask someone a series of questions, start out simple, and progress into other more revealing questions. Another tactic of social engineering is to make regular contact. By doing this you develop a persona and become someone likable to the target. Each time you call not only are you developing a persona, but you are also slowly collecting useful information that you can use for research in between contact. All the while the person being targeted has no idea. Those that are really good at this tactic essentially hack the mind. They can lead a conversation directly into the direction that they want it to go.
Organizational security awareness programs typically do not properly educate internal personnel on these and other tactics. Rather they tend to focus on not revealing particular types of information. The reason that this is so ineffective is because a good social engineer can get what they want by other methods. It is very hard to detect a social engineer, even with proper training. Physical security is also a problem that I see regularly not enforced. Security programs attempt to stress the importance of things like piggy-backing through security boundaries, signing in guests, or even blocking off electrical panels for storage. The most offending reason for this is a lack of accountability. Seldom across the programs that I've encountered have there been consequences for not following physical security type rules. Rather these rules are regarded more as "best practices" and treated as if they are less important than other rules. Security awareness programs need to address the consequences of breaking physical security rules in accordance with policy, and then as I say so many times, policy must be enforced. Classified markings is another area of security awareness programs that is usually broken. This is a big problem even within the government and department of defense where personnel receive training regularly on this subject and are well aware of its importance, and so it would make sense that it is viewed with an even lesser importance in the civilian world. Security awareness programs do address handling classified data because it is a big deal in both private industry and government. In private industry it is used to protect proprietary information and trade secrets and in government it is used to protect national security. I think that they fail in making a connection between the classified data and the person which is directly relational to the feeling of responsibility. My point in this post is that security awareness programs need to be revamped. More emphasis should be placed on human behavioral studies, psychological impacts, and persuasive techniques. Once programs are created more along these lines, I think that they will become more effective. Of course, one of the major influences that goes against such extensive research is budgeting, however I think that a qualitative cost-benefit analysis would prove beneficial and help to close the existing gap of personnel behaviors towards the security program, and would increase the overall security outlook of the business culture.