Extracting Long-term Value - not costs - from Your Security Awareness Training Program Blog

Extracting Long-term Value - not costs - from Your Security Awareness Training Program

Security awareness training is a hotly debated topic among CISOs. Many security leaders view training as a compliance-mandated operational expense. More forward-looking executives, however, understand the importance of fortifying the human element of their security posture. An emphasis on changing risky user behavior is much more beneficial to an organization than an annual seminar built upon hypothetical scenarios that don't represent workers' workflows. So the question remains: will you create a program that helps prevent data breaches, or do you just want your training to look like it does?


Cybersecurity awareness training is critical to businesses, particularly those operating with blended workplaces. Human actions account for 90% of all security incidents, so CISOs can quantifiably reduce their overall security incidents by upgrading the 'human firewall.'


Many businesses decide to invest in phishing simulation exercises and online learning modules to test their employees. The expectation that these initiatives will reduce phishing compromises and prevent users from clicking on insecure links is unrealistic. Our research shows a short-term benefit to using these types of techniques as the first campaign has a click rate of about 25% but whittles down to about half of that by the fourth campaign. However, the decrease never gets to zero, and it only takes one user to click on a malicious link to result in a successful breach.


Enterprises that want to move beyond basic training should continually provide personalized coaching in real-time as employees engage in risky behaviors. By implementing policies, controls, and technologies that focus on the individual, organizations can more effectively teach employees the right behaviors that will result in a cyber-savvy culture. Educating people during 'teachable moments' instills new habits and enables organizations to track workers' resilience over time.


The following three steps will help CISOs embrace a behavior-based approach:


  • Know Thyself. The hardest part of improving employees' ability to identify cyberattacks is overcoming their innate cognitive biases. Businesses migrated to major SaaS platforms like Microsoft 365 and G Suite in droves last year, presenting their employees with a brand new digital workplace that features unfamiliar alerts, automated messages, and other notifications. People working with unfamiliar apps are more likely to fall victim to cybercriminals replicating these touchpoints to steal data and credentials.


  • Use Legacy Software to Enable Personalized. Leveraging data based on an individual worker's risk profile, role, and awareness needs pave the way for CISOs to build tailored awareness campaigns. Often, this is something they can easily do with the technologies their organization already has, including HR systems and Active Directory.


  • Align Training KPIs with Cybersecurity Goals. Beyond reduced phishing incidents or malware infection rates, tracking specific actions – such as the number of users who have turned on 2FA or using a password manager – helps CISOs monitor actual employee behavior changes.


Cybersecurity awareness training programs should never be a sunk cost. Taking the time and resources necessary to help people identify and remediate cyberthreats makes business sense both in the short- and long-term. Learning more about how to create a behavior-based cybersecurity training and measure its effectiveness.



Learn how SecurityAdvisor can help your team

Schedule some time to talk with one of our experts and they will show you how we can help your organization.

Get a demo Today