In broad terms, you could think of security awareness training as making sure that individuals understand and follow certain practices to help ensure the security of an organization. From this perspective, security awareness training has been around practically forever, especially when you consider the need for security in military applications.

Today, security awareness training emphasizes information security, and especially cybersecurity. Rapid advances in information technology — and parallel innovations by cybercriminals — mean that employees and other end users need regular, specific training on how to stay safe online and protect their information and that of their employers.

This article is an introduction to security awareness training and its importance: why organizations use it, how it has evolved over the years, and how it helps to reduce the threat of cyberattacks and other security breaches. Finally, we’ll introduce some tools for creating an effective security awareness program.

Why Do Organizations Conduct Security Awareness Training?

Cybersecurity awareness training has a critical role to play in minimizing the serious cybersecurity threats posed to end users by phishing attacks and social engineering. Key training topics typically include password management, privacy, email/phishing security, web/internet security, and physical and office security.

There’s also a business case to be made for security awareness training, as explored in the Aberdeen Group’s report, Security Awareness Training: Small Investment, Large Reduction in Risk. The researchers conducted a workshop with enterprise security leaders to find out why they invest in security awareness and training. They found that:

  • 91% use security awareness to reduce cybersecurity risk related to user behavior.
  • 64% use it to change user behavior.
  • 61% use it to address regulatory requirements.
  • 55% use it to comply with internal policies.
why conduct security awareness training

 

As these statistics suggest, some organizations use security awareness training simply because they must, in order to comply with external or internal requirements. But this training also makes financial sense, according to the report: “an incremental investment in security awareness training results in a median reduction in the annualized risk of phishing attacks of about 50%, and a median annual return on investment of about 5 times.”

The Evolution of Security Awareness Training

While the core concepts of cybersecurity awareness training aren’t new, it has reached mainstream consciousness relatively recently. One indication of its emergence was the 2004 launch of National Cyber Security Awareness Month. The initiative, by the National Cyber Security Alliance and US Department of Homeland Security, was intended to help people stay safer and more secure online, encouraging such practices as the regular updating of antivirus software.

Since then, the annual awareness month has inspired similar events in other countries, expanded its themes and content, and drawn increased participation across industries and government, as well as universities, nonprofits, and the general public.

The focus, methods, and effectiveness of security awareness training have undergone significant changes over the years. Back in 2004, most programs were driven by the need for compliance — simply meeting regulatory requirements. Today, that focus has shifted to seeing cybersecurity awareness training as a means to manage and mitigate organizational risk.

Along the way, training methods themselves have matured. In 2004, the dominant paradigm was for annual presentations, either as in-person training sessions or long-form computer-based training. Unfortunately, these lengthy, infrequent sessions do not result in good knowledge retention. A gradual shift toward short, focused training on individual topics represented an improvement, but these trainings were still presented infrequently, which allows knowledge to dissipate over time.

evolution of security awareness training

 

Around 2014, security awareness training began shifting toward continuous education and improvement, in which a program includes ongoing cycles of assessments and training. The latest developments have been “just-in-time” and in-context training, which adds the ability to launch training in response to an end user exhibiting poor cybersecurity behavior, such as unsafe web browsing.

Tools for Training End Users

Today, infosec professionals use a variety of tools to train end users, as can be seen in our State of the Phish™ Report. The dominant tool — and one that continues to grow in popularity — is computer-based awareness training.

  • 79% use computer-based awareness training.
  • 68% use phishing simulation exercises.
  • 46% use awareness campaigns (videos and posters).
  • 45% use in-person security awareness training.
  • 38% use monthly notifications or newsletters.

Well-designed training programs often make use of several of these tools. Equally important is to deploy these tools in a systematic, methodical way that allows you to track and measure progress over time.

Our highly effective training solutions utilize our Continuous Training Methodology, designed with Learning Science Principles to engage the learner and change behavior.

Tools for Training End Users

 

The way we employ Learning Science Principles was proven to be effective through research performed at Carnegie Mellon University.

Effectiveness of Security Awareness Training

Our own case studies and Results Snapshots have shown persuasive results:

95%

Over a two-year period, a financial institution recorded a 95% reduction in malware and viruses, and a greater awareness of cybersecurity threats.

90%

A college in the Northeastern US reported a significant reduction in malware and viruses, a 90% reduction in successful phishing attacks, significantly fewer support requests, an increase in the number of users reporting incidents and attacks, and a greater awareness of security issues.

89%

An employee benefits organization realized more than an 89% reduction in phishing susceptibility utilizing our assessment and education modules as core components of their security awareness and training program.

80%

Security awareness training helped city government employees reduce average click rates by 80% in one year and avoid a sophisticated wire transfer fraud attack.

Creating a Security Awareness Training Program

Training employees versus cybersecurity experts takes a unique strategy. Users are not cybersecurity experts, so they need information given to them in an engaging way that helps them visualize and understand phishing.

Your security awareness program should have several features:

  • Content: The content should be easily digestible and understandable for a general audience and provide information in an organized way such as chapters and lessons.
  • Executive support: Executives are responsible for ensuring users follow procedures, so training material should have content that can be distributed across departments.
  • Frequent program updates: The cybersecurity landscape changes, so the program content should also change. Every year content should be reviewed and refreshed to cover the latest threats.
  • Testing: Testing users with real-world phishing emails and social engineering scenarios will help them identify threats. The example exercises should mimic real-world attacks.
  • Reporting: Integrated with tests, reporting will tell administrators who clicked links and submitted sensitive data. The reports will identify employees who need additional training.
  • Surveys: After training, send survey questions to managers, executives, and staff members so that they can provide feedback for improvements.

The way you organize and develop security training will determine its effectiveness. You need a strategy for the way content is written and organized. An example model for development:

  • 10% formal: Although it’s corporate training, formal content should be the least sections in your training material. Formal content can be difficult to read or hard to digest, but it can be important for specific facts and examples.
  • 20% informal: Informal content such as webinars, videos, and collaborations better engage users. This content should not be a majority of training sources, but it can be more than formal to help users better understand concepts.
  • 70% real experience: Content in this section should be customized to fit the organization’s culture and experience. This type of content is usually developed by a third party so that all staff members get the most out of the training.

The content included in training material should be information, but it should also be for people who have never experienced a phishing attack. It should cater to beginners even if you have some people who are much more educated on the subject. It should be engaging enough that users want to dig further into details and learn more. Training is for people to build a skill, and this skill is detecting phishing and social engineering for users who are unaware of the many ways attackers create campaigns against businesses. They can even learn to protect their personal accounts from phishing and social engineering, so users get additional benefits from corporate security training.

Proofpoint offers a full suite of products for your security awareness and training program: from knowledge assessments and phishing simulations to interactive training, powerful reports, and easy-to-use dashboards.

Anti-Phishing Training Suite

Anti-Phishing Training Suite

Our customers have used our Anti-Phishing Training Suite and our Continuous Training Methodology to reduce successful phishing attacks and malware infections by up to 90%. Make our unique, four-step Assess, Educate, Reinforce, Measure approach the foundation of your phishing awareness training program.

Simulated Phishing Attacks

Simulated Phishing Attacks

Quickly and effectively assess how susceptible your employees are to phishing and spear phishing attacks with our ThreatSim® Phishing Simulations. End users who fall for simulated phishing attacks are automatically presented with a Teachable Moment. This “just-in-time” guidance lets users know what they did wrong and offers tips to help them avoid future threats.

Security Awareness Training

Security Awareness Training

We recommend that your security awareness training program include organization-wide phishing education as well as targeted anti-phishing training. Our unique approach and interactive training modules help you deliver effective cybersecurity education in a flexible, on-demand format that minimizes disruption to daily work routines.

PhishAlarm® Email Reporting Tool

PhishAlarm Email Reporting Tool

Reinforcing best practices is critical to improving retention. Our PhishAlarm® email reporting tool enables end users to report a suspected phishing email with a single mouse click, reinforcing positive behaviors. Our optional PhishAlarm Analyzer email prioritization tool maximizes PhishAlarm’s capabilities and streamlines response and remediation efforts on reported emails.

What Makes Proofpoint Security Awareness Different

Because security awareness training works with the human element in cybersecurity, it’s important for organizations to find a company that can connect with users. Proofpoint’s training is developed to empower employees, vendors, and contractors with the information needed to detect and stop phishing attacks. We differentiate ourselves using a number of factors.

  • Proven results. Security training has shown to reduce click rates by up to 50%.
  • Real-world examples. Train employees with real-world examples so that they recognize a phishing email more effectively.
  • Better compliance. Proofpoint training improves compliance by educating users on proper auditing and recordkeeping when working with customer data.
  • Engaging for users. All lessons and training courses are created to engage users so that they get the most out of their sessions.

Security Awareness and Education Platform Key Features and Benefits

Learn about Proofpoint Security Awareness and Education Platform. Understand the benefits and features including real-time reporting, customizable content, and multinational support.

Security Awareness Modules, Videos, and Materials

Proofpoint’s security training for employees can improve knowledge retention, facilitate behavior and reduce risk. Learn about out our training videos, materials and modules.

Business Intelligence Reporting for Security Awareness Training

Our modern, full-featured reporting makes it easy to benchmark, track, and trend user knowledge; evaluate progress; and gauge security awareness training ROI.