Organisations have an obligation to teach their staff to be aware of cyber threats, especially if they are aligning their security management programmes to one of the many standards seen around us in the security industry. As we navigate the complex problem of how we achieve a robust cyber security aware culture, the need for a better solution has never been higher. It’s been clear for many years that the traditional approach to security awareness training, along with the widespread use of phishing campaigns to assess organisational resilience, is increasingly falling short. But why is this? One fundamental characteristic is common across all failed security awareness programmes—they lack engagement. They miss the human element – the varying ways individuals learn, retain information, and respond to threats.
Failing Security Awareness Programmes
Traditional security awareness training, delivered in the form of an annual video or slide deck, is certainly outdated. The issues with this model are twofold. Firstly, the infrequency of training means that key information is not reinforced over time. Users forget the details or fail to stay updated on new threats throughout the period between engaging with the content. Secondly, the one-size-fits-all content does not account for different learning styles, leading to inconsistent retention and utility across the organisation. People in sales roles work and behave differently from the technical teams or commercial teams, and they all have different personality types and learn differently.
Moreover, using phishing campaigns to test an organisation’s resilience against cyberattacks doesn’t generate useful metrics, and can also present problems of its own. These tests only check a user’s individual susceptibility at a specific time and can give a false sense of security (or insecurity).
The user’s mindset, workload, and even their location (office, hotel room, airport) can significantly affect their ability to detect a phishing attempt. They may be in a hurry, hungry or tired, late for a deadline, or waiting for an important phone call. Each situation changes the mindset and could introduce factors that make the results from one day potentially irrelevant to the next.
Phishing campaigns also focus solely on negative behaviour (clicking on the malicious link or opening the dodgy attachment) rather than rewarding positive behaviour (reporting the attack). This approach leads to a culture of fear and punishment rather than encouraging proactive security behaviour and makes people close off from the security team and report nothing for fear of drawing attention to themselves.
Make it Personal
The solution lies in a personal approach to awareness programmes, incorporating principles from the science of behavioural economics into its design. Behavioural economics focuses on understanding how individuals make decisions and tailoring the training to influence their behaviour. What is really driving these people in their behaviour and how can the security team teach within the boundaries of those traits?
Instead of presenting a slide deck filled with statistics about cybercrime, consider using real-life examples and storytelling to make the information more relatable. Tell stories about people struggling with their credit score after their identity was stolen can show exactly the kinds of things that will impact the individual. You can also incorporate interactive elements, such as quizzes or simulations, and even choose your own adventure games to engage different types of learners.
For example, instead of presenting a slide deck filled with statistics about cybercrime, consider using real-life examples and storytelling to make the information more relatable. Tell stories about people struggling with their credit score after their identity was stolen can show exactly the kinds of things that will impact the individual. You can also incorporate interactive elements, such as quizzes or simulations, and even choose your own adventure games to engage different types of learners.
Moreover, the training should be delivered more frequently – short, monthly sessions are far more effective than an annual marathon. Regular reinforcement helps to keep the information fresh in users’ minds and allows for timely updates on emerging threats.
Cyber Ranges—Will they Help?
Cyber ranges, while a valuable tool for teaching technical skills to security professionals, are not a solution for security awareness. They are focused on the technical aspect of cyber security and less on the human element. We need organisations to address the entire business and look at the behaviour of their individual teams, not put the onus on the security team to defend everyone—as we already know that doesn’t work.
The market is ripe for innovative solutions that combine behavioural economics, personalised learning, and a more comprehensive view of what the word resilience means. By moving away from outdated methods and embracing a more tailored approach, we can create a culture of cyber security awareness that empowers individuals, strengthening our collective defences against threats.
Director of Research & Innovation, Sekuro
Tony has been in information and cyber security for a very long time and delivered projects and services across a bunch of different industries through a variety of different roles. Over the years, Tony has always tried to bridge the growing skills gap through his employment, by mentoring, teaching and working with other disciplines to help them understand the complexities of what we do.