Connect with us

Hi, what are you looking for?


Management & Strategy

Getting Employee Security Awareness Training Right

Time after time, attackers seem to find ways to get users to open an attachment.

Time after time, attackers seem to find ways to get users to open an attachment.

Throwing technology at this is one way to address the issue. Another is through security awareness training – but depending on who is being asked, that may be either a panacea or an undersized Band-Aid. Training employees right, experts said, takes a mix of clearly-defined goals, executive support and an understanding of employees’ roles and the target audience. 

“The number one problem in the typical security awareness program is a lack of well-defined, measurable objectives for the program,” said Gartner analyst Andrew Walls. “Well-defined objectives enable the design, development/acquisition of effective security education and training that produces measurable improvements in security.”

In general, Walls said, there are four types of objectives in security awareness programs: setting disciplinary baselines meant to establish justification for disciplinary actions when an employee breaks policy; regulatory compliance; establishing, diminishing or maintaining certain behaviors and the development of knowledge among employees in regards to security and risk management. It’s critical, he added, that organizations define and gain executive support for a set of learning objectives.

The other two areas where security awareness programs often fail is in not understanding the intended audience and pushing awareness topics and content that are not selected based on an assessment of risk, Walls said. 

“The organizations that remedy these three factors have effective awareness programs that produce measurable results,” he said.  

In a recent report with Wombat Security Technologies, the Aberdeen Group argues that if businesses can figure out a way to use training to change employee behavior, an organization’s cyber-risk can drop dramatically. According to the Aberdeen Group, an analysis of 29 independent benchmark studies involving more than 3,500 enterprises found that leading performers were 70 percent more likely than the lagging performers to have invested in awareness programs for their end-users.

Advertisement. Scroll to continue reading.

“Mock attacks should be handled with great care and should include communication with appropriate management stakeholders, and often even the end users,” said Joe Ferrara President and CEO Wombat Security Technologies, which specializes in security training programs. “Before the first mock attack campaign is started, the security officer should meet with the management team to discuss the purpose of the exercise and assuring them that this is not meant to trick anyone or make them feel badly. A company-wide communication can be sent a week or more in advance of the attack to share the same sentiment that the purpose of any mock attack program is to assess vulnerability to attacks from the wild, provide brief information about how to recognize and avoid attacks.”

“Security officers should select a mock attack that is relevant to their environment and is likely to appear from cyber criminals themselves to get the best evaluation of end user susceptibility to real attacks,” he added. “Once they have notified all parties and allowed enough time for people to forget about the program it is time to initiate the attack and then collect the results.”

Not everyone is completely sold on the idea of security education dramatically impacting the security of an organization however.

“While security awareness training is one part of a comprehensive information security program, its effectiveness is somewhat negated by the simple fact that it only takes one human to click on something bad to jeopardize the entire enterprise,” said Norm Laudermilch, COO of Invincea. “So even if 99 out of 100 employees paid attention in class and learned what not to click on, the one employee that was home sick that day would put the company at the same level of risk as if no awareness training was done at all. In addition, today’s malvertising threats make any awareness training useless because the user doesn’t even have to click on anything to execute malicious code and create an infection.  The mere act of browsing to a reputable website owns the entire enterprise.”

Security awareness training cannot be a once-a-year event and still be effective, said Elise Yacobellis, director of global development at (ISC)², which provides security education and certifications for IT professionals.

“There needs to be continuous training as well as communications and marketing involvement to keep the messages fresh in the minds of the employees,” said Yacobellis. “The entire program needs buy-in from upper management to incorporate this learning into the daily life of employees. The awareness messages must be pertinent to each individual’s area of responsibility. In others words, the message needs to be simple and trackable to the tasks that each individual performs.”

A campaign should also be developed with marketing, communications and human resources with timely reminders about security awareness concepts, she said.

“In today’s world of training, an organization’s internal Learning Management System (LMS) should be utilized to track progress of employees’ training sessions, testing of concepts, and answering knowledge-based questions that allow an individual to retain the information,” she said. “These efforts should be supported by managers of the employees and considered part of an individual’s performance objectives. By having all departments working together, this will send a cohesive message to employees regarding the high importance of security and their role in that effort.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.