Phishing and social engineering attacks are exploding as threat actors increasingly discover that humans are the most exploitable entry point in organizations. Unfortunately, 70% of organizations still report that their employees lack critical cybersecurity knowledge, even when many have a formal security awareness training (SAT) program in place.
What Are SAT Programs Missing?
The success and effectiveness of security awareness programs hinges on three key cornerstones: content, experience, and relationships. Let’s break them down further:
Content: Content plays a big role in breaking down complex security topics into simple bits of information. Content quality matters a lot—the more personalized, relevant, and localized your training content, the more it will engage and resonate. This, in turn, will not only improve knowledge retention but also boost the application of cybersecurity practices.
Experience: The format of training, whether theoretical, visual, or experiential, has a direct impact on employee learning. The training tools, the various technological touch points, the duration and frequency of training, the level of flexibility, the level of engagement (games, incentives, promotions), and collaboration extended during the program all impact the learning outcomes of participants.
Relationships: Positive security habits stem from a positive security culture. A positive culture begins with a good relationship. The key elements of a good relationship are communication (conveying information with the goal of winning hearts and minds and influencing behaviors); empathy (respecting employee challenges, different learning abilities, and fostering an environment where they’re comfortable asking questions); trust (trusting employees to make the right security decisions) and respect (valuing employee contributions in protecting the organization).
Ultimately, a weakness in any of these three elements can lead to poor knowledge retention, low engagement, and a weakened security culture, leaving the organization more vulnerable to human risks.
Information Sharing: An Important Yet Overlooked Element of Security Awareness
The act of sharing information is a much-coveted security behavior and a promoter of security culture. When employees share security information with friends, family members, and colleagues, it reflects that they’re aware, care, and want others to be concerned about cybersecurity. But how do you promote information sharing? By analyzing why and how employees consume and share cybersecurity information, organizations can gain valuable insights to enhance their SAT programs.
Why Do Employees Share Security Information?
The short answer is they share because they care. When cybersecurity challenges, incidents, and threats remain top of mind, employees feel more concerned about the impact on their work and those around them. Ultimately, they feel motivated to share this information with others.
How Do Employees Acquire Security Information?
Studies reveal that employees acquire cybersecurity knowledge mostly through online and social media. Employees discover cybersecurity content via websites, blogs, and online news articles. Social media platforms such as Facebook, LinkedIn, or X serve as channels for sharing and receiving updates amongst each other, particularly in the 18-29 age group (Gen Z). Other sources of cybersecurity knowledge include direct sharing, broadcasts, podcasts, messaging from other companies, etc.
Key Takeaways
Recommendations organizations can follow to help boost their SAT programs include:
- Focus on the three cornerstones: SAT programs are often viewed as a checkbox or procedural. In reality, it’s an art: the art of delivering the right knowledge at the right time to the right audience in the right format. Focusing on three core pillars of training ( content, experience, and relationships) is key to building highly impactful SAT programs that influence culture and behavior, not just boosting awareness.
- Make SAT information shareable: When designing SAT content, it’s important to address things from an information-sharing perspective. Here are some important questions to ask: Are we prioritizing the type of content that motivates people to consume and share it with others? Are we delivering it in a format and manner that promotes sharing? Are we incentivizing people to share this information with others?
- Prioritize behavior over awareness: Awareness doesn’t always translate into action. In other words, even if employees have a good awareness of a threat, it does not mean they will behave securely. To maximize the effectiveness of SAT programs, it is essential to understand employee behaviors, identify key moments of human risk, and introduce intervention points or behavioral cues that encourage individuals to adhere to the correct procedures.
By 2030, millennials and Gen Z will comprise 58% of the workforce. According to EY Consulting, this group is particularly vulnerable to social engineering scams and is less serious about cybersecurity on work-issued devices than personal devices. Organizations must rethink their SAT strategies: focus on improving training content and relationships and make cyber information accessible and shareable because people consume and share a lot of information through social and online channels. Finally, prioritize behavior over awareness because cyber awareness alone does not lend itself to secure behaviors.
Erich Kron is Security Awareness Advocate for KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management with over 70,000 customers and more than 60 million users. A 25-year veteran information security professional with experience in the medical, aerospace, manufacturing, and defense fields, he was a security manager for the U.S. Army's 2nd Regional Cyber Center-Western Hemisphere. He holds CISSP, CISSP-ISSAP, SACP, and other certifications. Erich has worked with information security professionals worldwide to provide tools, training and educational opportunities to succeed in information security.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.