Study: Boring Cybersecurity Awareness Training Does No Good

Employers need to ask their employees about the effectiveness of their training.

Edward Gately, Senior News Editor

September 24, 2020

4 Min Read
Cybersecurity Training
Shutterstock

A new study shows boring cybersecurity awareness training doesn’t persuade employees to be secure.

Osterman Research conducted the study, which was co-sponsored by MediaPro. The firm, which surveyed 1,000 U.S. employees for the study, also polled IT managers and decision makers.

As users get more security awareness training, their ability to effectively deal with security threats increases. Users who get proper training are much more likely to spot phishing attempts, business email compromises and other cybersecurity threats. That is in comparison to their untrained colleagues.

The research supports the claim that employees get far more benefit out of interesting and engaging training.

Just Ask Employees

Lisa Plaggemier is MediaPro’s chief strategy officer. She said employers need to gauge their employees on the effectiveness of their cybersecurity awareness training.

Plaggemier-Lisa_MediaPro.jpg

MediaPro’s Lisa Plaggemier

“Some companies do this, but I think others might be afraid of the answers they get in return,” she said. “It might mean that you need a dedicated resource running your training and awareness program, who has a communications or marketing background, instead of a security engineer doing it as part of their job. You can also tie specific metrics to test the effectiveness. For example, does incident reporting increase once you’ve trained people on how to spot and report a potential incident?”

Other Findings

Other key takeaways from the report include:

  • IT, security and business leaders generally want to establish a strong cybersecurity culture within their organizations. But they’re somehow not conveying that idea effectively to a large number of their employees.

  • Cybersecurity awareness training is perceived to be as important as technology in dealing with security threats; therefore, organizations will devote more employee time to training over the next year.

  • About 45% of employees surveyed expect to spend 15 minutes or more per month in training by mid-2021. That’s up from 26% in 2020.

  • Senior IT and business management are much more enthusiastic about security awareness training than are non-management employees.

  • Security and IT leaders, their staff members and business leaders are largely on board with the idea that developing a strong cybersecurity culture is important. Everyday employees, however, are much less convinced about the importance of doing so.

Employers should buy training that really connects with people and doesn’t talk down to them, Plaggemier said.

“There are so many good options on the market these days,” she said. “There’s no excuse to run boring training. In some organizations, their own culture can get in the way. They resist using humor, for example, because it doesn’t fit with their brand or the security team feels you shouldn’t use humor for such a serious topic. Complex problems need creative solutions.”

MSSPs Can Help

Michael Osterman is researcher and president of Osterman Research.

Osterman-Michael_Osterman-Research.jpg

Osterman Research’s Michael Osterman

“I believe there are more opportunities than challenges for MSSPs and other providers, such as Microsoft that provides security natively within Microsoft 365,” he said.

There are two fundamental drivers for the growth of MSSPs. Technology helps organizations address their security concern. And MSSPs can help with this. Also, the cybersecurity skills shortage is motivating many CISOs to outsource at least some of their security to third parties.

“That said, we see the growth of security awareness training and the growth of technology-focused solutions, including the outsourcing of at least some security functions to MSSPs, to be synergistic,” Osterman said. “Outsourcing relieves some of the burden on already-overworked security staffers so that they can focus on the more onerous threats and attacks that take substantial time to investigate and remediate. And training enables users to detect and avoid many of the threats that will inevitably make their way through even the most robust security defenses.”

The study does point to overall progress being made in terms of cybersecurity awareness training, he said.

“For general phishing emails, there was a nearly six-fold increase in the percentage of users who are capable or very capable at detecting them after training compared to their ability pre-training,” he said. “We also found major gains in user capabilities at recognizing targeted emails and scams in social media after they received training. Plus, it’s important to realize that we were surveying organizations that have various levels of efficacy in their training, and so the most effective training would result in even better numbers than these.”

Read more about:

MSPs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like