Human error remains one of the most formidable obstacles to enterprise security. As a result, many companies are implementing security awareness training programs. But are they doing awareness training right?

According to a study authored by cybersecurity executive Calvin Nobles titled “Shifting the Human Factors Paradigm in Cybersecurity,” 90 percent of security incidents are connected to human error. That incredibly high statistic begs the question, are all the awareness training investments paying off?

When it comes to employee training, the quality of the content is the most important consideration. A one-time, mandatory video doesn’t work to mitigate risk. However, making end users aware of cyberthreats has great potential for risk management. That’s why security awareness programs should be part of a layered defense strategy.

Give Power to the People

In his study, Nobles found that while organizations are investing heavily in security technology, they are still lagging behind when it comes to employee training initiatives. Lisa Plaggemier, security evangelist at InfoSec Institute, echoed that sentiment.

“There are times when humans save the day, and there are times when technology saves the day, but people can know something without changing their behavior,” she asserted.

In every organization, employees openly violate security policies, log in using unsecured public networks, use work devices for personal transactions, download unapproved software, share passwords and unknowingly open malicious attachments from phishing attacks. The question is not whether organizations need to deploy awareness programs; rather, organizations should be thinking about how they can empower their employees to feel a sense of ownership of enterprise security, which requires getting a little more creative and personal with cybersecurity training.

Get Creative With Security Training

Nobles also found that organizational culture impacted the success rate of human risk mitigation. A culture that is employee-focused and team-oriented with open communication for the purpose of creating a positive work environment is more likely to generate employees who feel both empowered and valued. In turn, they value the organization.

To change the culture of an organization, its members need to buy in, and that buy-in must come from the top down. One of the greatest challenges of an effective awareness program is getting everyone to commit to the reality that it’s not about teaching security but creating a change in the culture of the organization. That’s why Plaggemier said awareness campaigns should look more like marketing campaigns.

“You need to spark interest, and the content needs to be funny and engaging,” she said. “There are a lot of ways to customize and get the right message to the right person at the right time, but most trainings that are being offered are one-size-fits-all.”

Customize Training to Your Company Culture

The problem with a one-size-fits-all training is that regardless of your role or the kinds of endpoints you are generating, every employee receives the same training. Besides being disengaging, these exercises lack any tracking capabilities that can verify whether people are actually learning. It’s no wonder that awareness programs aren’t more successful.

Whether it’s videos, newsletters, print or events, there are so many channels available to get people’s eyes on security content. A one-dimensional approach that only applies one of these methods will not reach its full potential efficacy. All too often, the people involved in creating the awareness training programs aren’t thinking strategically enough about the campaigns they create.

Communicate the Value of Security Awareness

The reality is that many people don’t care about security, which is why Plaggemier said it’s critical to invest in clear messaging that demonstrates why security matters.

“Compared to the other media that people consume in their daily lives, most training programs are not very good,” she said. “The people that will engage in something humorous are also the same folks that don’t take assigned training modules seriously.”

Rather than hanging a content-filled poster in the break room and expecting people to read it, put your security awareness messaging on par with all the other content people consume throughout the day. Compared to a beer ad during a football game, for example, the break room poster is an obvious flop: unengaging, tailored to no particular audience and too self-serious.

Your content needs to be creative, but it also needs to appeal to users. Funny content becomes far less funny if it’s mandatory.

“When you make something mandatory and the metric you use is how many people completed it, you’ve missed the point of how to engage culture, but the inherent challenge is that security folks are being gauged on whether people were interested,” Plaggemier explained.

Gamification is fast becoming a popular way to pique employee interest, and many companies have implemented companywide challenges, where departments play against each other to see who scores best on internal mock phishing campaigns.

Initiate a Cultural Shift

A recent report from (ISC)2 found that while 43 percent of security professionals use their skills developed in user awareness training two to three times per week, “professionals seem to be struggling to find the time for user awareness training, which they say is an important quality they look for in employers.”

What security job seekers want from an employer is a commitment to a continued investment in security training. Wes Simpson, chief operations officer at (ISC)2, said effective awareness training starts with the people you hire. Increasingly, companies are looking to hire candidates with the soft skills needed to strategically communicate the value of security across the organization.

An effective awareness program leverages the soft skills of various individuals who are able to facilitate a cyber program. Fortunately, according to Simpson, cyber is moving away from being a mysterious, frightening, negative aspect of the organization.

“It’s been elevated from a visibility standpoint so that it’s no longer an option but an ongoing investment.”

Companies have to be proactive about creating an agile program that not only considers the risks to the organization, but tailors the training to the users within that organization to mitigate those risks. When security awareness is a company program distributed to every single employee where daily conversations happen across the company — regardless of department or team — the employees are more likely to appreciate that they have a responsibility to the program.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…