In broad terms, you could think of security awareness training as making sure that individuals understand and follow certain practices to help ensure the security of an organisation. From this perspective, security awareness training has been around practically forever, especially when you consider the need for security in military applications.
Today, security awareness training emphasises information security, and especially cybersecurity. Rapid advances in information technology — and parallel innovations by cybercriminals — mean that employees and other end users need regular, specific training on how to stay safe online and protect their information and that of their employers.
This article is an introduction to security awareness training: why organisations use it, how it has evolved over the years, and how it helps to reduce the threat of cyberattacks and other security breaches. Finally, we’ll introduce some tools for creating an effective security awareness program.
Why Do Organizations Conduct Security Awareness Training?
Security awareness training has a critical role to play in minimising the serious cybersecurity threats posed to end users by phishing attacks and social engineering. Key training topics typically include password management, privacy, email/phishing security, web/internet security, and physical and office security.
There’s also a business case to be made for security awareness training, as explored in the Aberdeen Group’s report, Security Awareness Training: Small Investment, Large Reduction in Risk. The researchers conducted a workshop with enterprise security leaders to find out why they invest in security awareness and training. They found that:
- 91 % use security awareness to reduce cybersecurity risk related to user behaviour
- 64 % use it to change user behaviour
- 61 % use it to address regulatory requirements
- 55 % use it to comply with internal policies
As these statistics suggest, some organisations use security awareness training simply because they must, in order to comply with external or internal requirements. But this training also makes financial sense, according to the report: “an incremental investment in security awareness training results in a median reduction in the annualised risk of phishing attacks of about 50%, and a median annual return on investment of about 5 times.”
The Evolution of Security Awareness Training
While the core concepts of security awareness training aren’t new, it has reached mainstream consciousness relatively recently. One indication of its emergence was the 2004 launch of National Cyber Security Awareness Month. The initiative, by the National Cyber Security Alliance and US Department of Homeland Security, was intended to help people stay safer and more secure online, encouraging such practices as the regular updating of antivirus software.
Since then, the annual awareness month has inspired similar events in other countries, expanded its themes and content, and drawn increased participation across industries and government, as well as universities, nonprofits, and the general public.
The focus, methods, and effectiveness of security awareness training have undergone significant changes over the years. Back in 2004, most programmes were driven by the need for compliance — simply meeting regulatory requirements. Today, that focus has shifted to seeing security awareness training as a means to manage and mitigate organisational risk.
Along the way, training methods themselves have matured. In 2004, the dominant paradigm was for annual presentations, either as in-person training sessions or long-form computer-based training. Unfortunately, these lengthy, infrequent sessions do not result in good knowledge retention. A gradual shift toward short, focused training on individual topics represented an improvement, but these trainings were still presented infrequently, which allows knowledge to dissipate over time.
Around 2014, security awareness training began shifting toward continuous education and improvement, in which a program includes ongoing cycles of assessments and training. The latest developments have been “just-in-time” and in-context training, which adds the ability to launch training in response to an end user exhibiting poor cybersecurity behaviour, such as unsafe web browsing.
Tools for Training End Users
Today, infosec professionals use a variety of tools to train end users, as can be seen in our 2019 State of the Phish™ Report. The dominant tool — and one that continues to grow in popularity — is computer-based awareness training.
- 79% use computer-based awareness training
- 68% use phishing simulation exercises
- 46% use awareness campaigns (videos and posters)
- 45% use in-person security awareness training
- 38% use monthly notifications or newsletters
Well-designed training programmes often make use of several of these tools. Equally important is to deploy these tools in a systematic, methodical way that allows you to track and measure progress over time.
The way we employ Learning Science Principles was proven to be effective through research performed at Carnegie Mellon University.
How Effective is Security Awareness Training?
Our own case studies and Results Snapshots have shown persuasive results:
Over a two-year period, a financial institution recorded a 95% reduction in malware and viruses, and a greater awareness of cybersecurity threats.
A college in the Northeastern US reported a significant reduction in malware and viruses, a 90% reduction in successful phishing attacks, significantly fewer support requests, an increase in the number of users reporting incidents and attacks, and a greater awareness of security issues.
An employee benefits organisation realised more than an 89% reduction in phishing susceptibility utilising our assessment and education modules as core components of their security awareness and training programmes.
Security awareness training helped city government employees reduce average click rates by 80% in one year and avoid a sophisticated wire transfer fraud attack.
Creating a Security Awareness Training Program
We offer a full suite of cyber security education products for your security awareness and training program: from knowledge assessments and phishing simulations to interactive training, powerful reports, and easy-to-use dashboards.
Anti-Phishing Training Suite
Our customers have used our Anti-Phishing Training Suite and our Continuous Training Methodology to reduce successful phishing attacks and malware infections by up to 90%. Make our unique, four-step Assess, Educate, Reinforce, Measure approach the foundation of your phishing awareness training program.
Simulated Phishing Attacks
Quickly and effectively assess how susceptible your employees are to phishing and spear phishing attacks with our ThreatSim® Phishing Simulations. End users who fall for simulated phishing attacks are automatically presented with a Teachable Moment. This “just-in-time” guidance lets users know what they did wrong and offers tips to help them avoid future threats.
Security Awareness Training
We recommend that your security awareness training program include organisation-wide phishing education as well as targeted anti-phishing training. Our unique approach and interactive training modules help you deliver effective cybersecurity education in a flexible, on-demand format that minimises disruption to daily work routines.
PhishAlarm® Email Reporting Tool
Reinforcing best practices is critical to improving retention. Our PhishAlarm® email reporting tool enables end users to report a suspected phishing email with a single mouse click, reinforcing positive behaviours. Our optional PhishAlarm Analyser email prioritisation tool maximises PhishAlarm’s capabilities and streamlines response and remediation efforts on reported emails.