Needless to say, you need to tackle the human risk part of your security. Most companies have been using cybersecurity awareness training to educate employees on threats to try mitigating the risk of attacks happening because of human error.
Does awareness training really work? Can an organization lower its human risk profile by implementing policies, meeting compliance, or creating awareness about common threats with infrequent one-size-fits-all phishing training, interactive training modules, videos, e-learning materials, posters, and newsletters?
In this article, we will argue that investing in employee awareness training does not mean that you are actually lowering your risk. Awareness training won’t guarantee that all your employees can recognize a suspicious email or test employees´ knowledge whether they know not to take action on potentially malicious emails. Awareness training can educate employees by explaining they need to report anything odd to the security team. However, often the process of reporting threats is also not seamless enough to activate employees.
To make you think about whether security awareness training is what you need, we will compare security awareness and security engagement. By the end of this article, you should have a clear understanding if an engaging employee training can have an impact on lowering your organization’s risk profile compared to traditional awareness programs.
Leaving a permanent impact on people’s learning curves
Having policies and maintaining compliance are extremely important. In many companies, security teams talk about ‘compliance awareness training.’ Compliance awareness training usually comes with a set of instructions and self-study guides. However, even when people go through all of the materials and complete all of the mandatory tests, they may not remember much a few days or weeks later. The employees and the organization will complete the requirements to remain in compliance, but little impact is made on employees´ behavior change when training is compliance focused.
The theory does not replace practice. Employees should frequently engage in practical training. Awareness training often lacks enough exercise.
Frequent, practical training is the only viable way to teach employees what they need to do when a threat hits their inbox. When you invest in employee training as a security team, what you want to see is long-lasting behavioral changes. When people receive the right security training, they don’t need to think twice to correctly evaluate a suspicious email and report it.
The sole purpose of security engagement training is to ensure that everyone is learning through practical exercises. As a result, whenever the employees see something odd, they report it to the security team. It is more than simply creating awareness about existing threats. Security engagement training prepares employees to face real-life cyber threats and be confident about their actions.
Let’s discover in more depth how engagement training is different from awareness training.
Frequent vs. infrequent training
Security awareness training is often delivered infrequently. Even when you invest in phishing training, it may not be frequent enough to teach people what they must do once they become aware of a threat.
Before going deeper, let’s think about it through a simple example. When you are learning a foreign language, some say that you need to see or hear a new word thirty times before you will memorize it and be comfortable using it. Of course, this varies based on the individual’s level or previous exposure to similar words. Some may need to practice only ten times, while someone else may need to practice more than thirty times to gain mastery. It also depends on the difficulty level of the word.
It’s the same with phishing simulations. Sending one phishing email a month or in a quarter won’t make your employees learn to recognize extremely sophisticated malicious emails (mainly that social engineers act fast and create new emails frequently). Repetition is the key to learning, which also applies to cybersecurity training.
Some of your employees will need a lot more repetition than others. Some people will also find particular simulations complicated that others don’t find challenging.
Security engagement training makes sure that all your employees get frequent training, and it is also adjusted to their level. Engagement training goes one step further: it understands that not all employees learn or comprehend training the same way.
Awareness training is not tailored to the individual. Often, all employees get the same guides, and even when companies invest in phishing training, the simulations lack variety and customization that would be relevant, for example, to the individual’s role or department.
This is one aspect that the Hoxhunt engagement training aims to solve through using artificial intelligence (AI) and machine learning (ML) to customize each simulation to the individuals.
Beyond the hyper-personalization, the training must be engaging. Great employee experience is necessary to make sure that most of your employees willingly participate and report hazardous emails.
Awareness training usually lacks a great user experience. At Hoxhunt, we wanted to create a training that would almost get people “hooked” on participating. We use a fun and gamified approach, where participants in the training can compete with each other. As people want to join – because of their competitive nature or simply because they learn that there are a lot of threats out there that could harm your company – engagement rates will increase. This applies not only to training but also to the reporting of actual threats.
Increasing the engagement rate and motivating people to participate will not only help you reduce failure rates (more on that later) but will also build a strong security culture where every employee knows that their actions can positively impact your company’s security.
Positivity that leads to behavior change
For a moment, let’s go back to the comparison of how people learn a foreign language. Psycholinguists talk about the importance of motivation in language studies. If you are not motivated to learn a language or you have negative feelings toward it, it will be tough to learn the language properly.
On the other hand, when one has a positive feeling toward learning a language—even when the given language is difficult—the person is more likely to succeed in learning the language.
Psychology and positive reinforcement play crucial roles in cybersecurity engagement training. People should feel good about participating in the training, and they should feel like they are succeeding. Training shouldn’t be seen as something negative that consumes the valuable time of your employees.
Employees often associate awareness training with negative feelings. First of all, they may find simulations too easy and training materials too dull. In some cases, there can also be a punishment for failing the training.
To engage people and make them participate, training should instead focus on motivating and rewarding them.
Measure how your employees perform
When companies do awareness training, security teams can’t always tell whether the employees are learning to recognize threats. To see whether your training is working, you should monitor the following metrics:
The reporting rate is the percentage of how many of your employees are constantly participating in the training.
The failure rate refers to how many employees who are reporting threats fail the simulations. The lower the failure rate is, the lower your organization’s risk profile is. There is a correlation between people’s success in recognizing threats and lowering the human risk.
The number of reported real threats
Security engagement training is a way to instruct your employees that they need to report all suspicious emails. Having data on the threats that reach your employees will empower the security team with better information on the type of threats that bypass your technology stack so that team members can better plan incident response management.
How the right behavior leads to more visibility of threats and better incident response management
When people learn to recognize threats through simulations, people will learn at the same time that they should also report all other emails that they find suspicious. The behavior of reporting everything through the security engagement platform means that the security team will have more visibility on the threats that surpassed the email filters.
The higher the reporting rate is, the more data your company can generate on threats. This information can be used to plan incident management processes better or to mitigate breaches or attacks.
How Can Engagement Training Reduce Your Risk Profile?
- Your goal is to teach security measures to all of your employees. Increasing participation rates up to 70% means that most of your employees are learning to be prepared to do the right thing when they see a threat.
- When your employees report the threats that slip through the email filters, you can be more confident in your defenses and know what has been happening.
- When people learn to look out for threats, they will also learn not to act upon them. Accidents can still happen, but failure rates can be reduced from 25% to 2%.
- Automating the training means that employees will receive more frequent training, including up-to-date simulations.
- Using AI and ML for the detection and classification of threats, so you only need to focus on the ones that actually require your attention.