What does a security awareness program ultimately want to achieve?
That employees understand the importance of security and their individual contribution, know their responsibilities and the consequences of non-compliance — with the end goal of changing attitude AND behavior.
The three communication goals:
- Employees understand the importance of information security for the company — and their individual contribution to it ("my clicks matter")
- Responsibilities and expected behavior are clear — no "I didn't know that was my job"
- The consequences of non-compliance are clear — rules with known sanctions are taken seriously
And the headline objective: "die Einstellung und das Verhalten der Mitarbeiter zur Informationssicherheit zu ändern" — change attitude and behavior.
Why both words matter: attitude without behavior is good intentions (everyone "supports" security in surveys); behavior without attitude is brittle compliance that evaporates when nobody watches. Lasting security culture needs the inner conviction (→ TPB's persönliche Einstellung) and the outer practice. That's also why success measurement must target behavior change, not training attendance.
Go deeper:
NIST SP 800-50 Rev. 1 — Betont Verhaltensänderung und Aufbau einer Sicherheitskultur als Ziel.