Security Awareness Training: Knowledgeable Users Can Still Get Burned

November 20, 2019
Gretel Egan

As with all cybersecurity initiatives, you should set measurable goals for your security awareness training program. But you cannot expect cybersecurity education—or any type of education, for that matter—to bring about a mistake-free zone within your organization.

Knowledge Doesn’t Eliminate All Mistakes

He may not have been talking about cybersecurity, but Abraham Lincoln’s famous quote about deception certainly resonates within the context of cyber attacks:

You can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time.

Cybersecurity education will help to shrink those “somes.” But your users will never be perfect all the time, no matter how much training they receive. This is true even in the case of something as simple as touching a hot stove.

We all learned, at some point, that a hot stove can hurt us. A few of us learned by hearing the warnings enough times, from enough people. But most of us learned by doing it—we reached out and got burned.

That analogy illustrates why “hands-on practice” is one of the learning science principles we embrace within our training methodology. It’s because being within a scenario and experiencing the results of decision-making provides a powerful connection.

But as we said, knowledge does not equate to perfection. Consider the hot stove analogy once more: Though we know a hot stove can hurt us, that doesn’t mean we’ll never get burned again. Lack of focus … being in a hurry … having a “brain cramp” … these and other issues can put us in harm’s way at any point—even if we “know better.”

Teach Proper Actions and Proper Reactions

So, does this mean you don’t bother with training? Absolutely not. You definitively need to teach users the right actions to take when they are confronted with a potentially risky or dangerous situation. But you also need to teach them how to react properly in those cases when they accidentally get burned.

Above all, you don’t want them to try to hide what happened; this will only cause the problem to fester and grow. Instead, teach your users to recognize the potential after-effects of a cybersecurity mistake and encourage them to ask for help. Let them know the importance of reporting suspicious emails, even if—or perhaps especially if—they believe they’ve fallen for an attacker’s tricks.    

Keep the lines of communication open between you and your end users. And keep your expectations realistic. Good behaviors are certainly the goal, but it’s important to recognize that those can happen on both sides of an attack equation.