Creating awareness and security culture requires a lot of hard work if you want to succeed. Using the Security Culture Framework, you can design and implement the security culture you want, which is great. The SCF itself offers an over-arching framework within which you can build and maintain your culture – but sometimes you want a more hands-on approach, a methodology directly focused on security awareness activities.
When that happens, you may look at Tom Andreas Mannerud´s Security Awareness Cycle, a methodology that is based on his award winning graduation project, and one that closely aligns with the SCF. You will recognize the different steps – from defining your metrics, to understanding your audience, and creating materials that will help you succeed with your goals.
The most important addition and focus area of Tom´s work is his focus on behaviors. He says you need to understand and map out the behavior you like/do not like, and then target that behavior with your activities. As behaviors are an important part of culture, and awareness alone does not change behavior, the focus on behaviors in Tom´s work helps you focus your efforts and budgets where it really matters – to change the behaviors into the kind of culture you want.