Security Awareness Training: Are You Setting Yourself Up for Failure?

Security Awareness Training: Are You Setting Yourself Up for Failure?

May 02, 2017
Kym Harper

Wombat_Blog_SecurityAwarenessTraining_May2017 (1).jpg

As security awareness training becomes a requirement for an increasing number of organizations both large and small, it’s important to examine whether the components of your program are assembled in a strategic manner that contributes to long-term behavior change for your end users. If not, you’re likely setting yourself up for failure.

 Remember, to move the dial on cybersecurity awareness and application of best practices, you have to do more than just check a box, and your program needs to be more than a once-a-year endeavor. Our methodology — which dictates regular, ongoing use of assessments, education, reinforcement techniques, and measurement — has been proven to maximize learning and lengthen knowledge retention for end users.

We’ve compiled a list of bad habits to avoid and followed up with some recommendations on strengthening your program. See how your approach measures up below.

Bad habits to avoid in your security awareness training program:

  • Relying strictly on mock phishing attacks to change behaviors
  • Delivering training only once or twice a year
  • Providing examples that are too conceptual and/or that lack real-world relevance with actionable steps
  • Covering too many topics at once or requiring employees to spend more than 30 minutes to complete training in a single sitting
  • Failing to motivate employees to participate in training
  • Using training so flashy it interferes with your message, or conversely, using a medium (like auto-run videos or presentations) that lacks an interactive component and “talks at” the learner
  • Neglecting to make a clear link between assessments (like simulated phishing attacks) and training that relates to your assessments
  • Leading with negative reinforcement rather than positive reinforcement
  • Including culturally insensitive examples that might be offensive to certain regions of your workforce
  • Focusing on passive measurements (like “completed/not completed” tracking for assignments) rather than metrics that allow you to analyze program success

Customers who have employed our Continuous Training Methodology have seen up to a 90% reduction in successful external phishing attacks and malware infections.


Best practices to implement in your security awareness training program:

  • Introducing employees to the value of cybersecurity awareness and training, and helping them to make a personal connection to the benefits of learning
  • Identifying vulnerabilities in an engaging, positive-minded manner that motivates the end user
  • Explaining the “why,” not just the “what” to your end users and your stakeholders
  • Delivering focused training in short, “bite-sized” bursts that minimize disruption to daily business activities
  • Providing practical, contextual lessons that are relatable, easy to remember, and actionable
  • Choosing training modules that include engaging simulations, stories, and gamification to drive active participation
  • Allowing users to practice while they learn
  • Reinforcing key principles and empowering employees to report suspicious emails and other cybersecurity concerns
  • Utilizing measurement tools that make it easy to track participation, gauge training effectiveness, analyze progress, and share key metrics with stakeholders

We make a clear distinction between “awareness” activities and “training” activities, and based on our expertise, organizations who also make this distinction — and execute on both types of initiatives — have the most effective cybersecurity education programs. If you don’t currently implement all of the best practice we highlighted above, there’s no better time than now to develop a plan to implement the necessary changes that will raise the bar of your program and take your employee training to the next level. And if you are currently a Wombat customer, don’t hesitate to reach out to your Customer Success Manager, who can help you identify opportunities to make the most of your security awareness and training investment.