Many in the industry questioned the need for awareness programs as a security strategy at all in 2013. The underlying problem is not that awareness programs are poor but that users exhibit behaviors that are insecure. The implementation of technology should be determined in the context of an organization’s business processes and the likelihood that the technologies will mitigate a user’s failures to properly implement governance. The ultimate goal of awareness is to reduce the loss from areas where governance and technology eventually will fail, but an effective awareness program is still critical.”]