Recent Posts

Recent Blog Posts

The PhishLabs Blog

Why Your Security Awareness Training Isn't up to Par (And What to Do About It)

Posted by Jenny Dowd on Nov 10, '16

Most security awareness training is SecurityAwarenessTrainingNaySayers.jpgboring, infrequent, and ineffective. And the worse part is… everybody knows it.

But why? How did we get to this point? And who does all this sub-par security awareness training benefit?

To answer these questions we’ll need to examine one of the main drivers: Compliance.

The Compliance Paradox

The truth is nobody benefits from poor security awareness training. Not organizations, not employees, and certainly not consumers.

What you have to realize is that poor quality training isn’t simply a case of organizations taking the easy way out. There may be an element of this in some cases, but the real culprit is actually well meaning legislation. Compliance, after all, exists for a reason: To protect people and organizations from incompetent or negligent security behaviors.

But there’s a problem. When specific requirements meet limited training budgets, people start to look for workarounds.

Take PCI compliance, for example. In order to be PCI compliant, employees must be trained at least annually. But does an annual training program necessarily equal a good training program? Clearly not.

What key areas should your security awareness program address in 2017? Attend the webinar Planning for an Effective Security Awareness Program in 2017 to to establish a program that trains your users in meaningful and measurable ways. 


Organizations must also make use of multiple communication methods. But does a program that includes online and in-person training, posters, and email communications necessarily do a good job of improving awareness? Again, no.

And don’t get us wrong. Most people, including us, would agree these are reasonable requirements for a security awareness training program. But a program that only satisfied these requirements would fall a long way short of ideal.

A Different Driver

Bad security awareness training programs are easy to spot. Just by glancing over the process, you know it isn’t going to achieve anything. And as we’ve already pointed out, most of the time this is the result of compliance-led training.

But there’s another problem. In almost all cases, organizations have no objective way of measuring the success of their security awareness training. After all, how do you measure awareness?

And while we’re on the subject, what does security awareness actually mean? That employees know cyber threats exist? That they know to look out for phishing emails? Something else?

If you think about it (and we have) security awareness really isn’t a useful concept. Security behavior, though, is a fantastic concept.

Security behavior can be observed and measured easily. If we want to keep an organization secure, eliminating bad security behaviors (and introducing good ones) is far more useful than increasing awareness. For a deep-dive into behavior and the human vulnerability, download the whitepaper Weakest Link: Why People Are Your Network's Greatest Vulnerability.

Let’s take phishing as an example. Clicking links in phishing emails is a bad security behavior, and one we’d all like our employees to avoid. Instead, what we’d really like is for employees to report those phishing emails so our security teams can analyze and quarantine them. If we focus our training efforts on obtaining this result, we’re almost guaranteed to see improvements compared with the traditional security awareness approach.

And if organizations across the country started using measurable behaviors, not compliance, as the driver for training, all our data would be much safer for it.

An Approach That Does Work

Focusing on behaviors instead of awareness, and measurable outcomes instead of compliance, is one part of the equation.

But whatever your motivations, there’s no cure for terrible training.

As an industry, we need to move away from boring classroom lectures and one-dimensional e-learning. Time and experience has clearly demonstrated that these approaches don’t work, so it’s time we paid attention to the writing on the wall.

If we want to change security behaviors, we need to bring training into day-to-day activities and routines, and constantly reinforce our key messages. We need to select a behavior that we’d like to change, and identify ways to deliver the appropriate training precisely when employees need it.

Now of course, some form of initial classroom or e-learning training is usually necessary. You’ll need to tell employees what is expected of them, and what support they can expect from you. Once that’s completed, though, you’ll need to be more creative.

Let’s return to our phishing example. We want employees to report phishing emails, not fall for them, so the first thing we need to do is ensure that an adequate reporting mechanism is in place, and that employees know how to use it. We also need to show employees what phishing emails might look like, and highlight aspects that could give them away.

Beyond this, though, there’s only one logical way to measure success: Phish your employees consistently.

We’re serious. Construct your own phishing campaigns, and periodically send them to your employees. If they’re successful in identifying and reporting them, that goes down as a win. If they aren’t, provide them with additional support in the form of further training or information.

Over time, you’ll be able to see how much your employees have improved, and identify which employees pose the biggest threat. Trust us, there will be a few who seemingly just don’t understand, and that’s fine. Perhaps they need more stringent security controls on their accounts, or some other additional measure.

But for the vast majority of your workforce, consistent testing and training will result in massive improvements to targeted behaviors.

This approach isn’t limited to phishing defense. With a little creativity, any security behavior can be changed or reinforced using a similar method to the one we’ve described. All it takes is the right motivation (changing behaviors) and a little investment, and your security awareness behavior training will be improved beyond recognition.

Employee Defense Training

Over the past few years, the vast majority of data breaches have resulted from a successful spear phishing campaign. This includes many of the high profile breaches covered by the media.

At PhishLabs, we’ve helped some of the top organizations in the world, including four of the five largest US financial institutions, to fight back against cyberattacks targeting their employees and customers.

With personalized training and reporting mechanisms, our fully managed employee defense training will prepare your employees for anything a threat actor can throw at them. Our analysts produce spear phishing campaigns, based on the latest real world examples, and track results in real time.

To find out how susceptible your employees are to phishing attacks right now, request a free assessment.

Topics: Phishing, Spear Phishing, security awareness training

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all