I'm looking for different ways to do security awareness for 'normal' users. As they usually have not much attention span and not a single bit of interest on the subject, they usual formal means of awareness simply doesn't work.
I'm thinking of new means for security awareness and wanted to hear what you think on the subject, if you have conducted or know about awareness campaigns that really worked.
I'm talking about initiatives like Symantec's scary internet stuff or mindful security.
Also, regarding to IT staff, what security awareness campaigns or initiatives have worked better for you?
We once put the following on our intranet, as a friendly reminder to people that they should change their passwords regularly. I am pretty sure it worked, because the volume of "I forgot my password" type helpdesk calls in the following 2 weeks was higher than average!
It's hard to put together one that works. It helps to have engaging content, and some rewards (eg run a simple quiz and give away something of interest). It helps to have influential leaders in your organisation actively promoting participation in the awareness campaign.
Microsoft have a toolkit you can download which has some ideas in it. Sophos released some material recently which also has good ideas. As do Symantec (as you mentioned) and most leading IT orgs, since it is a way they can slip in some marketing.
I've found the most successful topics for awareness are those that have immediate and clear benefits. Changing passwords regularly doesn't have obvious benefit for most users. Same with avoiding clicking online ads. But if these can be worded in ways that appeal to your audience then you're more likely to succeed. For example if you have parents, they will be sensitive to computer security advice that can protect their kids (oh and incidentally teach them good work practices too).
Regarding IT staff, security awareness seems to have less impact. Clear procedures and policy, good management guidance, and a culture of security are more successful, in my experience.
There is only so much you can do with training, especially when there are no (perceived) consequences for not following the rules.
We in the security field need to come to terms with the fact that people have better things to do with their time than follow our silly rules, most of which they don't understand and any consequence for the user is so delayed (hours, weeks, months) that the majority will never learn. It's pure psychology and we seriously need to take a clue from what the last 60 years of marketing/spin/manipulation has taught us about the human brain.
Your best option is to manipulate your way to success. Whatever you're trying to get your users to do, make your secure way the easiest/fastest/cheapest way. Users skip security advice because it can save them 2 seconds, so reward good behavior whichever way you can.
Example: Many years ago, I was in an organisation which suffered from users picking the same passwords across many systems and these systems accepted telnet-access from anywhere. This was exploited by attackers on more than one occasion.
Killing telnet and going to ssh with key authentication solved the security problem and removed the need for users to type in username and passwords on every remote connection. Having to not type their password for every new connection made it OK that they had to unlock their ssh key with a passphrase every morning.
Some claim that security awareness campaigns rarely have a lasting positive effect, but I think the key is to get the message in the users face, but in a positive way.
We've used various humorous messages shown as randomized images in the standardized screen saver that our organization uses. Cheap, and reaches the entire organization. In addition, posting informational posts on the intranet on timely topics can also be useful, for example how to safely use social networks. More technical issues, like password quality/lifetime should be enforced by technical restrictions, not left as a choice to each user.
When I started work in a previous company with about 60 staff the Post-its weren't even hidden. They were stuck to the monitors, because it saved that extra step of having to lift up the keyboard or phone to read it. Attempts at a wholesale education process were a complete waste of time. Once I realised that I had one on one talks with the worst offenders. Where possible I identified those who loved to chat and gossip and focused my attention on them and let them (unintentionally) help me spread the word through their gossiping.
It probably took about 3 months or so but the results were very good. Once the senior managers go the hint, often through reminders from their own staff, things became a lot more official and my work (in that respect) was done.