Security Behavior Change

No, more security awareness training content is not the answer

Masha Sedova

Published on 13 December 2018

You spend hours and hours developing your security awareness training program and a couple months in you conclude it’s not working — employees are making the same mistakes and the company is no more secure. So, you decide to add more training to try to fill in the gaps. It must be that employees just don’t know enough, right? Well, not exactly. All this does is take up more of your employees’ time, and without knowing exactly what they need to know to improve their security skills, you may not be moving the needle no matter how much more content you add.

Truth is, it’s not about adding in more security awareness training content, it’s about delivering the right content. In fact, your existing content isn’t necessarily bad at all, it just may not be exactly what your employees need. Perhaps the content is too basic for them and they just glaze over it. Or, it could be that it’s too advanced and has left them uncomfortably numb, unable to implement what they learned. And considering that each team (sales, engineering, support, etc.) often requires slightly different training due to the nature of their jobs and the types of systems and data they touch, each team may not be fully equipped with how to securely do their jobs.

While it may seem that one-on-one training is the only other option, there is actually a much more streamlined approach to fine-tuning your security awareness training program to deliver the right training to the right teams. Follow the steps below to find out how:

1. Fill in the Gaps Strategically

There’s old proverb that goes, “You don’t know where you’re going until you know where you’ve been.” With regards to security, if you don’t know what your team’s current strengths and weaknesses are when it comes to security, you won’t know how to effectively help them improve. To deliver better security awareness training content, you first need to know where their weaknesses lie so you can address that. And once you know their strengths, you can consider reducing or even eliminating that training so you don’t bore them.

So how do you learn this critical insight? You could ask every employee what they feel their strengths and weaknesses are through surveys. You could also test their understanding through quizzes. However, both of these approaches limit your understanding of what people know and perceive about security. Unfortunately, this doesn’t always translate into what people do. For example, accord to a 2017 Lastpass survey, 91% of people understand the risk of reusing passwords, and yet 61% use the same or similar passwords.

There is a better way to go about this. By leveraging the data that exists on a network, it is possible to observe how securely an employee behaves on the network and on their devices. The Elevate Platform actually measures where each employee and each team excels and where they need additional help based on the behaviors they exhibit over time. For example, it can measure that Timothy continuously uses weak passwords, yet Amy uses LastPass like a pro.

Security performers vs stragglers

It can also measure how well (or not) the sales team can detect phishing threats or whether the marketing team is at risk for public information exploits.

Behaviour map

2. Provide Targeted Training

Knowing which team members need more support in particular areas of security (e.g. malware detection, VPN usage, strong passwords, etc.), you can begin supplementing their training to help them do better. When the Elevate Platform measures the security behaviors of employees and detects that someone is lagging in a particular area, rather than just telling them they’re doing poorly and using negative feedback as motivation (hint: that is not motivating), it offers them targeted training on that specific area of security so that they can improve their score.

On a periodic basis, employees receive an email report from the Elevate Platform showing them how they’re doing and giving them specific action items to help them boost their scores. Because we’ve purposely built-in social proof to the tool, showing an employee how their security chops stack up to their team and the company at large, the motivation is there for them to improve. And if it only takes a few minutes of additional security awareness training to clear up any gaps in knowledge, that’s an easy enough action for even a busy employee to take!

Compromised chart

3. Develop Role-Based Training

If you learn that there are team-specific gaps in security knowledge, it’s worthwhile to create role-specific security awareness training. Otherwise, the sales team could be leaving PII from customers wide open for theft or insecurely connecting to Wi-Fi at conferences, jeopardizing your sales systems, invoicing systems, and even your corporate network.

Creating role-based training can be a time-consuming task and is difficult to scale across all teams in an organization. Because of this, it’s critical to understand which teams need security attention and which can get a pass. If you can narrow down the exact security knowledge they need for their roles and not anything extra — even better!

Better Training, Better Outcomes

It’s not that security teams have bad content; in fact, the content we’ve seen over the years from companies is really great! It’s just that it’s being applied incorrectly. The route most companies take when they think their training isn’t working is simply adding more, thinking that will solve it. Instead, the content just needs to be relevant. Since this is an issue we’ve seen too many companies deal with, we decided to build individualized feedback and training as well as team-specific training into the Elevate Platform. Employees can take action in-the-moment to improve their scores, you can deliver more targeted training that they’ll appreciate, and the entire company will become more secure as a result.