Awareness of security measures, practices, procedures, and institutions strengthens existing controls, enables some security mechanisms, and can reduce certain threats. For example, the use of personnel badges is weakened if it is not exhaustively enforced. If unbadged individuals go unchallenged, a vulnerability has been introduced to the system.
Awareness also increases user acceptance of controls. Security policies and procedures often conflict with normal daily practice. Without user acceptance, the users themselves will pose a risk to the information system by ignoring, bypassing, overcoming, or simply by doing what feels more natural to do. Successful security awareness renders secure practices as a part of each individual's natural response.
The Principle of Awareness is bidirectional. By educating users, information security professionals will hear legitimate complaints about impediments and obstructions to productivity; and unreasonable demands or expectations. The awareness principle applies to unauthorized users as well as authorized. If every user, authorized or unauthorized, is made aware of the organization's position on unauthorized use, and the potential consequences of unauthorized use, some potential unauthorized users will chose to decline the opportunity.