![The Edge Logo The Edge Logo](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt530eb1f4e672eb44/653a71690e92cc040a3e9d6d/Dark_Reading_Logo_TheEdge_0.png?width=700&auto=webp&quality=80&disable=upscale)
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
The 7 Deadly Sins of Security Awareness Training
Stay away from using these tactics when trying to educate employees about risk.
![Pulpit of the Seven Deadly Sins in Austria, where human heads are carved onto a seven-headed serpent Pulpit of the Seven Deadly Sins in Austria, where human heads are carved onto a seven-headed serpent](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt4c6519bcf5293abe/655f591d82661f040aac230d/7sinsheader-imageBROKER.com_GmbH_Co._KG-alamy.jpg?width=700&auto=webp&quality=80&disable=upscale)
Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo
A one-size-fits-all approach won't be effective in making meaningful change in behavior among staff. In other words, don't give the same training to the human resources department as you would give to your IT team.
"Security awareness programs often falter due to a fundamental lack of understanding of human behavior and the specific cultural dynamics within a company," says Jason Hoenich, an awareness expert and vice president of strategy at Arctic Wolf. "Many programs are built on generic, one-size-fits-all models that don't consider the unique needs, interests, and challenges of the individual employees."
A 2020 incident garnered a lot of bad press for an employer that used the lure of a holiday bonus as part of a phishing simulation. The employees who fell for the hook and filled out a form asking for personal information were instead given mandatory security training. This is an example of an extremely insensitive approach to training. Just don't do it, says Tonia Dudley, a security industry veteran who has served as a CISO and worked with many awareness programs.
"Examples of sensitive topics can be benefits enrollment during the real benefits enrollment period, a bonus announcement during a real bonus grant period, or even leveraging an internal training completion announcement during the compliance training period," she says. "These incidents of negativity can lead to senior leadership questioning the value or impact of the program, doing more damage than good."
Of course, compliance is necessary. But if you are devising your awareness program simply to fulfill a compliance requirement, you aren't really building a security-conscious culture.
"Security awareness programs go wrong when the program is still stuck in the 'compliance' mindset," Dudley says. "Yes, we have regulatory obligations, but that doesn't mean you can't take the program beyond regulations and compliance."
Security leaders are also under pressure to create metrics to show value in their awareness programs. But the true measurement of success in awareness is not always easy to measure with a number.
"Making a culture and behavior shift takes time and doesn't happen overnight," Dudley says. "There isn't a 'quick fix,' and the threat landscape continues to shift. That means programs need to be nimble. Many programs try to outline topics and the full year all at once. This doesn't give you room to adjust as threats change."
A punitive approach that punishes employees for falling for phishing simulations rather than educating and empowering them will often have the opposite of the desired effect of enhancing awareness among staff, according to Gabriel Friedlander, founder of Wizer, a security awareness training provider.
"When employees feel threatened by the security team, it works against the company," he says. "For example, they might think twice about reporting accidental phishing incidents because they're scared of getting in trouble. This is particularly concerning because early detection of a breach can be the critical difference between containing the breach and experiencing a complete collapse."
Friedlander recommends that security leaders align the content of their awareness program with how people consume content on social media. Emphasize short-form content and use emotional hooks to maintain their attention.
"Make your content public and encourage people to share it with their friends and family," he says. "The more they share, the more successful your program becomes. The ultimate goal is to turn each employee into an ambassador at home."
Organizations should also dispense training on platforms like Slack and Teams to drive engagement, Friedlander adds.
"Security awareness should be more than just a one-way dialogue," he says. "Instead of solely delivering content, the security team should encourage engagement by motivating employees to ask questions and share their experiences with scams."
Culture and security concerns vary from place to place. Understanding the culture of the organization you are trying to train is essential to building security culture, says Julie Rinehart, a security awareness program owner at Biogen, a Massachusetts-based biotech company.
"The goal of a security awareness program is to influence human behaviors based on threats [and] tactics targeting the company and risks identified internally," Rinehart says. "If the program owner or leadership is bringing behavior assumptions from their previous company without validation, the program will be ineffective. Past experience is an asset, but every company is different, so reevaluating is a requirement."
Culture and security concerns vary from place to place. Understanding the culture of the organization you are trying to train is essential to building security culture, says Julie Rinehart, a security awareness program owner at Biogen, a Massachusetts-based biotech company.
"The goal of a security awareness program is to influence human behaviors based on threats [and] tactics targeting the company and risks identified internally," Rinehart says. "If the program owner or leadership is bringing behavior assumptions from their previous company without validation, the program will be ineffective. Past experience is an asset, but every company is different, so reevaluating is a requirement."
Effective security awareness programs educate staff about risks and — if done well — dramatically reduce data breaches and attacks within an organization. While there are many tactics that work, there are also plenty of clunkers.
What are some of the more "sinful" ways companies try to dispense awareness education, only to find out their efforts are not working? Here's a look at the seven deadly sins of security awareness so you can avoid these missteps when crafting your own program.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024