Security Awareness Training: ‘Petrified Users’ Shouldn’t Be Your Goal

Share with your network!

Petrified-Users-Are-a-Security-Awareness-Training-Fail.jpgGiven what we do, it’s should come as no surprise that we like to keep our finger on the pulse of the security awareness training market. (You aren’t recognized as a Leader by Gartner for four years running by operating with blinders on, after all.)

We are particularly interested to know how end users are responding to training efforts in different organizations and different industries. Since we believe that users are key to cybersecurity postures — those who maketh the mistakes can also take them away, right? — it stands to reason that we also believe that organizations should consider how their end users might feel about (and react to) cybersecurity education efforts.

One comment we regularly see floating around infosec forums like Spiceworks is that an organization’s program has “petrified” its end users, making them afraid to interact with any emails they receive. Most of the infosec folks who make these types of comments seem pleased by this outcome and think they have succeeded — but we respectfully disagree. In fact, we feel frightened users are unproductive users. And here are three reasons why:

  1. Email is crucial to the flow of business – If your employees don’t know how to appropriately handle email, and their knee-jerk reaction is to think that every message is a phishing email that is too dangerous to deal with, your program is not only failing your users, it’s failing your business. Petrified users disrupt the flow of activity, and that is not a win on any level.
  2. You create more work for your IT response teams – Yes, you absolutely want to teach your users to report suspicious messages and reach out to your helpdesk or IT personnel with questions and concerns. But not for every message. If you condition your users to avoid interacting with any message that contains a link or attachment or request for information, you will inundate your response team on an hourly basis and needlessly delay responses to business-critical requests (see point 1).
  3. Your users are capable of so much more – Make no mistake: If you believe your users cannot learn, you automatically limit the expectations you have for your program. The reality is that workers in all industries, at all levels, and in all roles frequently learn new things and effectively apply them on a daily basis. The same is possible for cybersecurity best practices. Instead of taking a counterproductive, “IT vs. end users” mindset, try to put yourself in your users’ shoes and embrace the opportunity to change behavior and reduce risk.


Hear what Wombat end users have to say about our approach to security awareness and training.





It’s time to raise the expectations you have for your security awareness training program — and the intellect and capabilities of your end users. Yes, a healthy sense of paranoia does everyone good when it comes to cybersecurity. But you need to stop short of creating a pervasive paranoia that terrifies your users, petrifies your business, and overloads your IT staff. Instead, focus on empowering your employees with the knowledge they need to make informed decisions. There are true, measurable benefits to including your users in your prevention and protection efforts rather than treating them like problem children who should be seen and not heard.