Revitalizing your security awareness program in 2022

Another year passes, and how has your security awareness program evolved?

So, you’re glad to put 2021 behind you, and start a new calendar year. Maybe you’ve even made some resolutions on both the personal and business side. One of those things might just be “To do something about our stale security awareness program.”

It's hard to feel good about a program that has boring content that doesn't engage employees

You may not have been able to identify exactly what’s wrong with your awareness program. But chances are, it involves two fundamental issues:

1- The fact that your training uses boring content delivery and quizzes; and

2- There is no way to motivate people to practice what they've been taught in a way that strengthens the culture of security.

As Mark Rasch points out in his article on Security Boulevard:

“We must find a way to go beyond training; go beyond learning to change and reinforce culture... The average employee is compelled to take a 15-minute training session on security (Alice shares her password with Bob. Is this a) Good or b) Bad?)" - Mark Rasch

Rasch has a very good point. And now, another year has passed, and as Rasch laments, it’s disheartening to realize that employees can often “click through” a security awareness course, without really committing the guidance to long-term memory. How can we expect them to learn to defend against cyberattacks with only these simple tools.

But unengaging courses and quizzes aren't the only tools being used these days. We also have phishing simulations, which theoretically provide the benefits of measuring risk decisions while also allowing for a teachable moment for employees. It seems like a good idea, but is it the best way to teach and assess these skills?

Phishing simulations have their place, but they should not be the primary employee learning and assessment tool for security awareness

Many managers I speak with tell me, "We use live phishing simulations..." as their primary awareness tool, as if that's all they need. While these assessment tools have their place in testing real risk decisions in an operational setting, the difficulty level of most phishing simulations makes them analogous to giving people a pass/fail math test on trigonometry after teaching them just a short lesson in basic geometry. It doesn't provide employees with a fair way to practice, let alone learn fundamental techniques for defending against common cyberthreats.

Despite their many pitfalls, management seems to have a misplaced love for live phishing simulations because they provide a simple metric, and they are highly visible. But I've seen a tendancy not only for executives to rely on the low-assurance data from live tests, but for IT managers running these tests to deliberately make them so difficult that there is often more possibility of backlash from employees than there is actual, useful learning.

From my experience, seeing results from testing thousands of employees, it becomes counterproductive to have more than one phishing simulation per month. And live phishing simulations don't address the many other risk scenarios presented by social engineering threats that don't use email (e.g. SMS, phone, voicemail, or in-person).

So, is it really a mystery why 90% of security breaches still involve decisions made by employees targeted by phishing or social engineering attacks?

Changing behavior calls for a different approach that focuses on applied skills, not comprehension

It’s very difficult to change behavior with current security awareness training methods that really don’t teach or fairly exercise employees’ decision-making skills. It's hard to imagine making them endure more of the same on an ongoing basis, especially if it really isn't fundamentally changing behavior enough to change the corporate culture. 

From a culture point of view, quizzes and entertaining videos (even if they are entertaining, and delivered every month) are not memorable, and can only take you so far in moving employees up the hierarchy of Bloom’s Taxonomy, from knowledge and comprehension to application and analysis, which is what's really needed to change behavior.

Revitalizing your awareness program requires immersive gamified learning to engage with employees

Moving beyond bland quizzes of knowledge and comprehension to a highly interactive, immersive employee experience is what's needed to create a more effective and positive environment for teaching and assessing employees' cyber security skills. Gamified simulations can motivate employees to actually immerse themselves in realistic, relevant risk scenarios they will likely face at some time in the future.

Gamification has been proven to be very effective at engaging employees to focus and learn. And what I’ve learned after years of teaching security awareness is that immersive gamified learning can also be used to revitalize security awareness programs, to reinforce behavior in a sustainable way that is effective, inclusive and has a positive impact on culture. Nobody feels targeted, and there are fewer implementation issues than with traditional, live phishing simulations. 

More data on employee proficiency is needed to manage human vulnerabilities

A single data point about course completion is not a solid indicator of an employee's understanding of cyber security concepts. And data from live phishing simulations only provides negative information about the vulnerability of a small fraction of the employees who did not correctly apply the knowledge; the ones who clicked when they shouldn't have. Did they learn from the simulation or not? What do the others really know about analyzing threats? Only time will tell.

On the other had, immersive gamified security awareness isn’t just a better way of delivering training content, for phishing and other types of social engineering threats. The higher degree of employee interaction during immersive simulation exercises provides a basis for rich vulnerability data to achieve a higher level of assurance, and to manage security risks related human decisions. Data has shown it is possible to consistently improve the average employee's ability to spot phishing messages by 50%. Without gamification, there is very little motivation for any employees to repeat an assessment and improve their abilities, and very limited data on which to base any trend analysis for risk management.

The first step in revitalizing?: Aim to move from boring training to immersive engagement as the only alternative to "more of the same"

To really make a change in your awareness program, you must be able to envision your desired end state. Do you want to continue the frustrating and adversarial relationship between employees and the Security team? Or do you want to set a goal of having a team that understands what they need to do, and in which you have confidence that it can actively help reduce losses due to cyberattacks? The latter requires a new approach, which is easily achieved using immersive, gamified learning.