This short blog post suggests cyber security awareness campaigns should not be run by IT but by human resources or standalone departments; that companies should quantify risks to guide cyber security investments; that awareness campaign effectiveness should be measured and that goals of awareness campaigns should be long-term behaviour change.