For decades security awareness programs have been based on the assumption that employees don't know the correct course of action and with the right training, they will start performing more securely. However, this approach has not proven to be effective. A second dimension needs to be considered in security behavior change: motivation. This talk will explore how and when to motivate employees to security action. It will also discuss how to "surf" motivation generated by both predictable and unpredictable security events to drive security behavior change in a workforce. Finally, this talk will explain how to measure changes in employees' security behaviors and how practitioners can create meaningful metrics.