Just because your security awareness training is ‘engaging’ doesn’t mean it works
Creative, funny, and wildly engaging security awareness training doesn’t lead to lasting behavior change. What it does is make people say, “I really enjoyed your training and videos.”
It’s time to put an end to the ‘trick, train, and entertain’ mentality.
If there is no change in security behaviors, there is no reduction in organizational risk. Simple.
And before you point to your phishing simulation click rates and report rates as ‘evidence’ of behavior change, know this:
Done badly, phishing sims do more harm than they do good.
Be honest with yourself, they only focus on a very narrow set of behaviors, and other important behaviors are ignored—leaving you exposed.
They don’t address the full range of security behaviors you need to address to reduce the risk of a successful phishing incident.
They don’t tell you why people do or don’t click.
Side note: we have so much to say about phishing simulations that we wrote the (e)book on it.
So, what’s the alternative to ‘trick, train, entertain’? Nothing worse than people going off on something without offering up better suggestions.
So, we’re giving you ten.
10 things you need to do to start influencing long-term security behaviors
1. Stop with the ‘trick, train & entertain’ mentality
This isn’t enough to genuinely and demonstrably reduce your risk. And you do want to reduce risk in a way you can prove, don’t you?
2. Accept that security awareness training has serious limitations
Train your people, yes. But recognise it for what it is—a compliance requirement, and something that helps raise awareness. Stop pretending it’s making a big difference to your people’s security behaviors. It isn’t.
3. Stop blindly focusing on ‘engagement’
Engagement without changes in security behavior is meaningless. That’s it.
4. Be specific
Be specific about the security behaviors you want to influence, and why. Focus on addressing those specific behaviors. Stay focused. It’ll help you determine whether you’re making any impact.
5. Set real objectives
Set objectives that are linked to risk related outcomes. So instead of, “I want X number of people to have completed the training.” Try, “I want to reduce the instances of account compromise.” This will help you support people in the best ways for your organization.
6. Be more scientific
Be clear about the scientific evidence behind the behaviors you choose and the interventions you apply. Recognise that, unless you’re a scientist, your survey questions probably aren’t scientific and may be skewing your data.
7. Measure what matters
Start measuring the impact you’re having on specific security behaviors. Of course, it isn’t easy, but that doesn’t mean you shouldn’t do it.
8. Give real support
Your people don’t need (or want) more training. They need and want help. ‘Trick, train, and entertain’ them. Or help them. You decide. Provide information that’s relevant to them. Make better use of apps and mobile technology like CybSafe. It works. Personalize the help they get. Nudge them in the right—and most effective—way.
9. Be careful with phishing simulations
Stop trying to catch people out. And recognise that your click rates and report rates are only a very limited measure of anything useful. ‘Clicking’ and ‘reporting’ are just two of many security behaviors you should be trying to impact within your organization.
10. F*ck awareness
Most people don’t care about cybersecurity. Never forget that. And, the truth is, they might never get care—at least not to the extent that we’d like. That doesn’t mean all is lost. It just means we shouldn’t just rely on things like engagement, event attendance, and knowledge.
You’re going to need to dig deeper if you want to influence long-term security behaviors. Where to start? Start with this.