Death by a thousand facts is the title of a recently published academic paper by Geordie Stewart and me. It sets out to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science.
Awareness programmes should not simply broadcast facts to an audience in the hope that behaviour might improve. They can be substantially improved with a little analysis and an understanding of the learning points from more mature fields such as safety.
It’s an excellent paper though I have to admit it’s largely Geordie’s work. He has an excellent knowledge of the application of psychology to analyse and solve security problems in industry. Unfortunately you have to buy it to read it.