What if your users have no choice but to break your security rules?

Try as we might, there’s never been a policy written that effectively accounted for all possible future scenarios. That’s why teaching company rules alone doesn’t provide adequate security training.

We Security Awareness practitioners tend to take for granted that we can reduce the number of preventable cyber vulnerabilities in our organisations through education alone; if we tell our users what our security rules are, then those users will unquestionably strive to comply with said rules as-written for the great food. Everything will work out fine. That’s why scads of our awareness content is built around introducing or clarifying security rules rather than on understanding or changing unsafe behaviours. That approach is … idealistic at best. Many preventable breaches occur because of users that fully understood the rules they were breaking and broke them anyway.