Cybersecurity Awareness Training – Where we’re going wrong and how to improve
In most organizations, the announcement of the mandatory cybersecurity awareness training is usually met with the same enthusiasm as the announcement of meatloaf on the menu in the company cafeteria. In many cases, one would rather suffer through the plate of meatloaf than the dreaded cybersecurity awareness training.
Clearly, there is a problem in the presentation of both.
As cybersecurity professionals, we are science-driven. Much like a food scientist who is called upon to decipher the mystery of the dislike for meatloaf, and how it can be changed, how can we make cybersecurity awareness training more appetizing?
One need not perform exhaustive empirical research to know why security awareness training is so disliked. The two primary complaints are that it is usually a boring presentation that amounts to little more than a restatement of the usual warnings about avoiding malicious links, and reporting suspicious messages to the proper team. The other complaint is that some of the information is presented in a very condescending manner, not appropriate for an adult, professional audience.
Security teams are often unsympathetic to the complaints of the other staff, since they are also subject to the same training, regardless of their security knowledge. Worse of all, senior management is often among the worst offenders, citing their status as a reason that they do not need to take the training. This is unwise, as even a seasoned IT professional can fall victim to a scam. Too often, a target of a scam will claim that it was a sophisticated operation that led to the compromise. This is usually self-soothing, but unconvincing nonetheless.
What can be done to enrich the security awareness training experience and make it more appealing? There are many technical solutions that can assist to protect organizations, giving everyone a fighting chance against cybercrime. There are also better ways to engage our colleagues.
In 2009, research was conducted to examine Technology Threat Avoidance Theory (TTAT), which “explains individual IT users’ behavior of avoiding the threat of malicious information technologies.” In a follow-up study conducted ten years later, it was concluded, among other things, that “other variables may affect threat perceptions and avoidance motivation. This is somewhat discouraging. Finally, a study conducted by the Information Systems Audit and Control Association (ISACA), revealed some valuable information.
The ISACA study concluded that the best method of training involved simulations. Instructor-led training alone was less effective than online training coupled with simulations. Simulations were more than just the standard phishing message. The key to the program’s success was:
“besides a training program, it is important for employees and management
to experience life-like cyberincidents, which are similar to a fire drill and are called cyberdrills.”
As a bold inference, a noteworthy part about all of these studies is that they seem to focus on the individual’s security, rather than that of the employer. It is reasonable to assume that people would respond differently to a training that is more personalized, rather than corporate-centric. Even in a group-dependent “cyberdrill”, people will always respond differently if they feel that they have a personal share in the event.
The researchers make note that it may be more difficult to achieve such a personal touch in large organizations. This is unfortunate, but it should not be a deterrent. With the right scheduling, even a larger corporation can achieve a greater impact if the security awareness training is rolled out in increments, rather than splashed across the entire company at one time.
Creative gastronomy has been responsible for elevating otherwise unappealing kitchen creations into exquisite dining experiences. Part of how they do that is by making the diner feel that they are an important part of the entire process. Whether it is a mixing of flavors, or the elegance of a plating technique, when the food is served with ceremony, it becomes a personal experience for all involved. If a food scientist can perform such feats of curiosity and interest, it should be equally possible for us cybersecurity professionals to use our creativity to engage our security awareness audience.
About the Author:
Bob Covello is a 20-year technology veteran and InfoSec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for, advising others about staying safe and secure online and works with Bora Design.
How Managed Security Services Can Protect Your Business
Cyber threats to small and medium-sized businesses are escalating rapidly. In 2024, attackers are more sophisticated and persistent than ever…