How to Make Security Awareness Training More Effective
More than two-thirds (68%) of cyber-attacks are some outcome of human error or social engineering attack designed to target human frailties. As a result, security awareness training has become a necessary component in tackling these human-related cybersecurity miscues.
That being said, 84% of security leaders report that their organizations were victims of phishing attacks, even though 98% ran some form of security awareness training (SAT) on their workforce. This means that security training programs are either falling short or failing to deliver the desired outcomes. There could be several reasons for this:
- The content is extremely boring, repetitive, unengaging or isn’t up to date.
- The program is designed to just “check-the-box” or meet compliance requirements.
- The program is designed to be one-size-fits-all.
- Training format doesn’t prepare employees for real-world scenarios.
- Security program is solely focused on boosting awareness, not changing behaviors.
How Can IT Leaders Make Security Awareness Training More Effective?
Below are tips that can help organizations derive more value out of their security awareness programs:
1. Focus on Outcomes Over Participation Rates
Remember, “security awareness” is a misnomer. Just because someone is aware does not mean that they will behave in a certain way. We know speeding kills, but we still do it. Similarly, making employees aware of cybersecurity risks is a key step but it’s also critical that organizations go beyond awareness. Legacy training is ‘activity focused’ – concern over participation rates or completion rates will not cut it. You want to measure employee attitudes, perceptions, and behaviors, identify where the gaps lie and measure improvements post training, over time. You want to measure how often employees do risky things or fall for phishing scams and whether that behavior is actually changing after they’ve attended training.
2. Personalize Training According to Individual Needs
Employees aren’t homogenous; they have different personalities, expectations, security competencies and learning abilities. Training some folks may require more time and patience. Some employees might have a history of opening malicious attachments, downloading unauthorized software and violating protocols and policies. Such people may require one-to-one coaching. Some employees can be at greater risk of impersonation or social engineering attacks (for example, leadership teams, accounts and finance teams). Malicious activities can get heightened during certain situations such as M&As and product releases. It’s important that employees be trained and reminded of risks in the right manner, at the right time and the right amount, to avoid apathy.
3. Use Real-World Simulations and Real-time Teaching
Traditional forms of classroom training are standard fare, however to truly prepare employees for real world scams they must experience real-world situations. Phishing simulators teach employees to identify social engineering red flags and train their muscle memory to report these incidents. (52% of employees do not report phishing emails.) Such tools also help organizations gather and monitor granular phishing performance data and identify employees that may need more training. Use tools or software that can deliver insights and nudges in real-time, at the very moment when employees are conducting these risky actions. Such real-time teaching not only prevents breaches, but also educates employees as to why some action was flagged and what they should’ve done instead.
4. Make Training Content Fun and Interactive
Training content doesn’t have to be serious, dry, or monotonous. Attention spans are limited and most employees have short-term memory. It’s also tiresome to go through the same training agenda every year. One needs to invest effort in building the right content, using the right medium and being creative with their communication approaches. Program managers must think like marketers and plan their actions and communications like they are executing a marketing plan. Make training more contextual and relevant for the audience you are delivering it to; practice storytelling, use bite-sized training rather than delivering a long-drawn-out session; leverage gamification, offer incentives, run contests, award and highlight top performers.
5. Continuously Incorporate Feedback and Adapt
Security awareness is nothing short of a change-managementinitiative. It takes effort, it takes persistence, it takes time. Security training must also be adaptive – training results and employee feedback must be harnessed to further enhance or adapt training according to employee needs. The idea is not to enforce security but to influence how employees feel, view and perceive cybersecurity. Such a change isn’t possible with arrogance or punishment. If employees are demotivated, they will ignore instructions or suggestions or worse, act against it.
To summarize, a box-ticking exercise can never change employee behaviors or mindset. Instead, organizations must tailor training programs around employee needs and organizational risks. Leverage real-world simulations and real-time teaching methods, make training more engaging and entertaining. Focus on real outcomes rather than participation statistics. This will contribute to the development of a more secure, resilient workforce, and foster a positive cybersecurity culture over time.
Erich Kron
A 25-year veteran information security professional with experience in the medical, aerospace, manufacturing and defense fields, Erich Kron is Security Awareness Advocate for KnowBe4. Author, and regular contributor to cybersecurity industry publications, he was a security manager for the U.S. Army's 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP and many other certifications. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in information security.