Security awareness at its most basic level is the act of applying technical security knowledge to programs and activities that raise the awareness -- and diminish risky behaviors -- of employees within a given organization. This includes everything from phishing and password test programs, to community engagement with educated practitioners teaching less security savvy users how to change their behavior to better secure protect themselves or their companies.
It's long been stated that security is not convenient, and for many years cybersecurity teams were challenged with addressing the human element of security risk (patch your systems! change your passwords! no, that is not a real email from George Clooney!) while also trying to create a secure infrastructure that defends the organization from external attackers. While the challenge of insider threats is real and malicious employees do exist, there's an equal chance that human faux pas creates a significant risk -- whether it be someone losing a device, clicking on a malicious link, or emailing the wrong file to the wrong person.
"Security awareness was initially started about 10 years ago with the advent of regulation and compliance requirements," Sedova said. "Unfortunately, they were designed with the wrong question in mind. They ask 'show me how many people have taken your training.' Instead they should have asked 'show me metrics that your program yields improvement in X behavior.' The companies leading the charge in the awareness space today are creating their programs around this question."