Awareness training plays an important role in an organization’s overall cybersecurity posture. But while security tools and platforms are regularly updated or replaced to meet the challenges of a constantly changing threat landscape, security awareness training has remained stagnant.
Training is the first, and often the only, interaction with the security team, said Marisa Fagan, head of trust culture and training at Atlassian. It’s an opportunity for the security team to create a positive experience that delights as well as educates employees, which could have big payoffs later with faster incident resolution and fewer mistakes with security impacts.
That’s in a perfect world. In the actual workplace, security awareness training isn’t meeting those objectives.
At the Insider Risk Summit in late September, Fagan explained that traditional awareness training does not focus on outcomes, it’s not interesting or engaging, and worst of all, it doesn’t convince anyone to actually care about security.
It isn’t surprising that traditional cybersecurity training approaches aren’t working.
“When you look at the data over the past five to 10 years, the approaches haven’t moved the needle in materially reducing organization risks,” said Mary Dziorny, cyber strategy manager at Accenture.
What’s missing from traditional security awareness training
Security awareness training has stagnated, in part, because it is a financially undervalued — and underfunded — piece of the cybersecurity platform.
Security awareness training professionals end up spending most of their work time on other projects, according to a study from the SANS Institute. Or they have the wrong people in charge of awareness training, relying on those with high technical skills to lead the effort who might not have the soft skills needed to engage co-workers.
Also, there aren’t enough people on the awareness training team. Most companies have one or fewer people in charge of training programs. The organizations that have more mature training programs and a more mature security posture are those that have four or more people responsible for awareness training.
Not having enough — or the right people — to do the job could be why security awareness training itself misses the mark.
“Fundamentally, the industry is struggling to connect the realities of adult learning best practices with how organizations need to run their businesses, which is efficient and effective,” said Dziorny.
Security training today tends to emphasize specific focus areas, like how to ensure the organization is meeting compliance regulations or to improve employee production, but it skips things like employee engagement or improving employee job satisfaction.
“Through more hands-on learning and upskilling, rather than outmoded table-topping exercises, security teams can see how their organization performs on relevant and timely exercises and simulations — even within hours of a new threat going live — so they can prove their ability and stay current,” said Max Vetter, VP of content at Immersive Labs.
Revamping awareness training through behavior
As cyberattacks become more sophisticated, employees need to take a more active role as the first line of defense. That means more effective cybersecurity awareness training, while working through the parameters of current budgets and staffing.
It should focus on making the training more engaging and looking at how to change human behavior.
One change to awareness training is to either get rid of or deemphasize the term awareness.
There’s a simplistic take that just by saying “awareness training,” users will automatically become aware of all the security issues and problems solved.
It doesn’t work that way, said Ira Winkler, field CISO and VP with CYE.
Rather than focus on awareness, the emphasis should be on how to change behavior. With behavioral science, you want to put things in place like reward systems, modifications to the user experience, or more established guidelines.
“The goal is to have measurable improvement in security-related behaviors, and that’s very different from the concept of awareness,” said Winkler.
One way to achieve this is to actually catch users performing good security behaviors and reward them, rather than looking for mistakes and punishing them. This could include highlighting when employees take security training classes, report a phishing email, or regularly use multifactor authentication.
You might reward these behaviors in different ways — the point is to have a constant system to do so.
Storytelling as training
Another behavioral training method is to use storytelling.
“Not only is storytelling a proven educational method rooted in behavioral science, it has the added feature of being entertaining as well,” said Fagan.
Educating and entertaining should work in tandem to cement security-related concepts in employees’ minds. Security should become a habit, but to get to that point, training should follow the pop culture format.
“The most successful security training content creators are now providing rich, engaging HD videos that tell stories with characters over several episodes with interactive elements,” said Fagan.
Like popular TV shows or NFL games, security training videos should aim to generate "water cooler" discussions around the office to reinforce the messaging.
“Using this method, we've seen a second wave of people view the training in greater numbers than in previous years simply because they wanted to understand what the first people to take the training were talking about,” said Fagan.
Cybersecurity is a distributed business problem, and it is time to move beyond the annual “how to spot a phishing email” style of training, and do more to support users to incorporate cybersecurity into their everyday work behaviors.
“We need to use realistic exercises that span from executives down to the most technical teams to unlock new levels of real-world performance measurement,” said Vetter.