Security awareness rarely leads to sustained behavior change on its own. Organizations need to proactively develop a robust human-centered security program to reduce the number of security incidents associated with poor security behavior. The Information Security Forum laid out four elements that can move the needle on security behavior: understanding the key factors that influence employees security choices. Delivering impactful security education, training, and awareness. Designing systems, applications, processes, and the physical environment to account for user behavior. Developing metrics to measure behavior change and demonstrate return on investment.
Source: https://threatpost.com/changing-employee-security-behavior-awareness/161607/