There’s a right way and a wrong way to train employees in cyber security awareness. The wrong way approaches training as a once-a-year or semi-annual exercise in which employees are gathered in the break room with snacks and subjected to a long, or sometimes too-brief, PowerPoint presentation. This method treats employees as a passive audience and inadequately engages them. Done wrong, security training feels more like punishment than an opportunity to teach and inspire employees to be active contributors to their organization’s safety and well-being.
The wrong way also reflects a one-size-fits-all organizational mindset, which fails to take into account that people have various strengths and abilities, and respond differently to a range of methods by which training material is presented. They also have varying security awareness needs depending on their role and level of access to sensitive information within their organization. Another key flaw of the break room approach is that the impact of training gets measured in terms of attendance instead of content retention and behavior modification.
A 2016 study of the effectiveness of security awareness training by Enterprise Management Associates, a leading IT industry analyst, reported that nearly 60% of the companies that provide such training were using less effective methods such as the break room approach (23%) and the monthly security video approach (36%). As a result, organizations tend to be disappointed by statistically low levels of improvement in behavior. That is likely to cause senior executives to dismiss the whole field of security awareness training rather than question the methods by which it is delivered.
When it’s done properly, security awareness training is parceled out in more digestible portions that expose employees to content with greater frequency and variety so it can have a deeper impact. This approach treats training more as a carrot than a stick and is interactive and role-based, making it feel more relevant and worthwhile to employees. And because it’s more challenging, it engages the minds and memories of workers much more effectively than when they are forced to passively sit through a presentation once a year or even at more regular intervals.
Security awareness training never occurs in a cultural vacuum. So it’s advisable that an organization’s risk management department evaluate the organizational culture and adjust the messaging appropriately. For example, an authoritarian corporate environment in which employees are expected to simply follow instructions without questioning how a task fits into a broader context is likely to require more effort to modify an employee’s behavior or default responses to things like phishing emails than a culture that promotes cooperation and critical thinking and recognizes the value of getting managerial and staff buy-in for new initiatives.
How does the security training at your organization compare? Are you spending your time watching what feels like the same video over and over again, or are you giving uninspiring break room speeches to employees who aren't sure what the goal is?