Human error remains one of the most formidable obstacles to enterprise security. As a result, many companies are implementing security awareness training programs. But are they doing awareness training right?

According to a study authored by cybersecurity executive Calvin Nobles titled “Shifting the Human Factors Paradigm in Cybersecurity,” 90 percent of security incidents are connected to human error. That incredibly high statistic begs the question, are all the awareness training investments paying off?

When it comes to employee training, the quality of the content is the most important consideration. A one-time, mandatory video doesn’t work to mitigate risk. However, making end users aware of cyberthreats has great potential for risk management. That’s why security awareness programs should be part of a layered defense strategy.

Give Power to the People

In his study, Nobles found that while organizations are investing heavily in security technology, they are still lagging behind when it comes to employee training initiatives. Lisa Plaggemier, security evangelist at InfoSec Institute, echoed that sentiment.

“There are times when humans save the day, and there are times when technology saves the day, but people can know something without changing their behavior,” she asserted.

In every organization, employees openly violate security policies, log in using unsecured public networks, use work devices for personal transactions, download unapproved software, share passwords and unknowingly open malicious attachments from phishing attacks. The question is not whether organizations need to deploy awareness programs; rather, organizations should be thinking about how they can empower their employees to feel a sense of ownership of enterprise security, which requires getting a little more creative and personal with cybersecurity training.

Get Creative With Security Training

Nobles also found that organizational culture impacted the success rate of human risk mitigation. A culture that is employee-focused and team-oriented with open communication for the purpose of creating a positive work environment is more likely to generate employees who feel both empowered and valued. In turn, they value the organization.

To change the culture of an organization, its members need to buy in, and that buy-in must come from the top down. One of the greatest challenges of an effective awareness program is getting everyone to commit to the reality that it’s not about teaching security but creating a change in the culture of the organization. That’s why Plaggemier said awareness campaigns should look more like marketing campaigns.

“You need to spark interest, and the content needs to be funny and engaging,” she said. “There are a lot of ways to customize and get the right message to the right person at the right time, but most trainings that are being offered are one-size-fits-all.”

Customize Training to Your Company Culture

The problem with a one-size-fits-all training is that regardless of your role or the kinds of endpoints you are generating, every employee receives the same training. Besides being disengaging, these exercises lack any tracking capabilities that can verify whether people are actually learning. It’s no wonder that awareness programs aren’t more successful.

Whether it’s videos, newsletters, print or events, there are so many channels available to get people’s eyes on security content. A one-dimensional approach that only applies one of these methods will not reach its full potential efficacy. All too often, the people involved in creating the awareness training programs aren’t thinking strategically enough about the campaigns they create.

Communicate the Value of Security Awareness

The reality is that many people don’t care about security, which is why Plaggemier said it’s critical to invest in clear messaging that demonstrates why security matters.

“Compared to the other media that people consume in their daily lives, most training programs are not very good,” she said. “The people that will engage in something humorous are also the same folks that don’t take assigned training modules seriously.”

Rather than hanging a content-filled poster in the break room and expecting people to read it, put your security awareness messaging on par with all the other content people consume throughout the day. Compared to a beer ad during a football game, for example, the break room poster is an obvious flop: unengaging, tailored to no particular audience and too self-serious.

Your content needs to be creative, but it also needs to appeal to users. Funny content becomes far less funny if it’s mandatory.

“When you make something mandatory and the metric you use is how many people completed it, you’ve missed the point of how to engage culture, but the inherent challenge is that security folks are being gauged on whether people were interested,” Plaggemier explained.

Gamification is fast becoming a popular way to pique employee interest, and many companies have implemented companywide challenges, where departments play against each other to see who scores best on internal mock phishing campaigns.

Initiate a Cultural Shift

A recent report from (ISC)2 found that while 43 percent of security professionals use their skills developed in user awareness training two to three times per week, “professionals seem to be struggling to find the time for user awareness training, which they say is an important quality they look for in employers.”

What security job seekers want from an employer is a commitment to a continued investment in security training. Wes Simpson, chief operations officer at (ISC)2, said effective awareness training starts with the people you hire. Increasingly, companies are looking to hire candidates with the soft skills needed to strategically communicate the value of security across the organization.

An effective awareness program leverages the soft skills of various individuals who are able to facilitate a cyber program. Fortunately, according to Simpson, cyber is moving away from being a mysterious, frightening, negative aspect of the organization.

“It’s been elevated from a visibility standpoint so that it’s no longer an option but an ongoing investment.”

Companies have to be proactive about creating an agile program that not only considers the risks to the organization, but tailors the training to the users within that organization to mitigate those risks. When security awareness is a company program distributed to every single employee where daily conversations happen across the company — regardless of department or team — the employees are more likely to appreciate that they have a responsibility to the program.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today