Human error remains one of the most formidable obstacles to enterprise security. As a result, many companies are implementing security awareness training programs. But are they doing awareness training right?

According to a study authored by cybersecurity executive Calvin Nobles titled “Shifting the Human Factors Paradigm in Cybersecurity,” 90 percent of security incidents are connected to human error. That incredibly high statistic begs the question, are all the awareness training investments paying off?

When it comes to employee training, the quality of the content is the most important consideration. A one-time, mandatory video doesn’t work to mitigate risk. However, making end users aware of cyberthreats has great potential for risk management. That’s why security awareness programs should be part of a layered defense strategy.

Give Power to the People

In his study, Nobles found that while organizations are investing heavily in security technology, they are still lagging behind when it comes to employee training initiatives. Lisa Plaggemier, security evangelist at InfoSec Institute, echoed that sentiment.

“There are times when humans save the day, and there are times when technology saves the day, but people can know something without changing their behavior,” she asserted.

In every organization, employees openly violate security policies, log in using unsecured public networks, use work devices for personal transactions, download unapproved software, share passwords and unknowingly open malicious attachments from phishing attacks. The question is not whether organizations need to deploy awareness programs; rather, organizations should be thinking about how they can empower their employees to feel a sense of ownership of enterprise security, which requires getting a little more creative and personal with cybersecurity training.

Get Creative With Security Training

Nobles also found that organizational culture impacted the success rate of human risk mitigation. A culture that is employee-focused and team-oriented with open communication for the purpose of creating a positive work environment is more likely to generate employees who feel both empowered and valued. In turn, they value the organization.

To change the culture of an organization, its members need to buy in, and that buy-in must come from the top down. One of the greatest challenges of an effective awareness program is getting everyone to commit to the reality that it’s not about teaching security but creating a change in the culture of the organization. That’s why Plaggemier said awareness campaigns should look more like marketing campaigns.

“You need to spark interest, and the content needs to be funny and engaging,” she said. “There are a lot of ways to customize and get the right message to the right person at the right time, but most trainings that are being offered are one-size-fits-all.”

Customize Training to Your Company Culture

The problem with a one-size-fits-all training is that regardless of your role or the kinds of endpoints you are generating, every employee receives the same training. Besides being disengaging, these exercises lack any tracking capabilities that can verify whether people are actually learning. It’s no wonder that awareness programs aren’t more successful.

Whether it’s videos, newsletters, print or events, there are so many channels available to get people’s eyes on security content. A one-dimensional approach that only applies one of these methods will not reach its full potential efficacy. All too often, the people involved in creating the awareness training programs aren’t thinking strategically enough about the campaigns they create.

Communicate the Value of Security Awareness

The reality is that many people don’t care about security, which is why Plaggemier said it’s critical to invest in clear messaging that demonstrates why security matters.

“Compared to the other media that people consume in their daily lives, most training programs are not very good,” she said. “The people that will engage in something humorous are also the same folks that don’t take assigned training modules seriously.”

Rather than hanging a content-filled poster in the break room and expecting people to read it, put your security awareness messaging on par with all the other content people consume throughout the day. Compared to a beer ad during a football game, for example, the break room poster is an obvious flop: unengaging, tailored to no particular audience and too self-serious.

Your content needs to be creative, but it also needs to appeal to users. Funny content becomes far less funny if it’s mandatory.

“When you make something mandatory and the metric you use is how many people completed it, you’ve missed the point of how to engage culture, but the inherent challenge is that security folks are being gauged on whether people were interested,” Plaggemier explained.

Gamification is fast becoming a popular way to pique employee interest, and many companies have implemented companywide challenges, where departments play against each other to see who scores best on internal mock phishing campaigns.

Initiate a Cultural Shift

A recent report from (ISC)2 found that while 43 percent of security professionals use their skills developed in user awareness training two to three times per week, “professionals seem to be struggling to find the time for user awareness training, which they say is an important quality they look for in employers.”

What security job seekers want from an employer is a commitment to a continued investment in security training. Wes Simpson, chief operations officer at (ISC)2, said effective awareness training starts with the people you hire. Increasingly, companies are looking to hire candidates with the soft skills needed to strategically communicate the value of security across the organization.

An effective awareness program leverages the soft skills of various individuals who are able to facilitate a cyber program. Fortunately, according to Simpson, cyber is moving away from being a mysterious, frightening, negative aspect of the organization.

“It’s been elevated from a visibility standpoint so that it’s no longer an option but an ongoing investment.”

Companies have to be proactive about creating an agile program that not only considers the risks to the organization, but tailors the training to the users within that organization to mitigate those risks. When security awareness is a company program distributed to every single employee where daily conversations happen across the company — regardless of department or team — the employees are more likely to appreciate that they have a responsibility to the program.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…