# #

January 6, 2021

Cybersecurity Human Risk Management: The Better Approach to Security Awareness

Is your company required to offer annual security awareness training to meet compliance? 

Welcome to the club... We know how this plays out. 

Despite your best efforts to push the training modules, no one seems engaged. And you know all-too-well from past experience that even those who pass all the security tests now will struggle to retain what they’ve learned later. 

Here’s the good news: we have identified a few reasons your training falls short, and we’re here to share why—as well as introduce you to a better approach to security awareness education that turns your users into your best asset of cyber defense.


Why Your Employees Aren’t Engaged in Training

Engagement is a crucial element in any educational program: when the audience isn’t paying attention, understanding is limited and applying the lessons is nearly impossible.  Without proper employee engagement, your cybersecurity awareness training might check the compliance box, but it’s falling on deaf ears. 

One of the biggest issues in today’s training landscape is that businesses do a poor job of motivating their team and instilling vested interest in the company’s cybersecurity. 

Instead, many training modules actually use disengaging tactics to push security training like:

Compliance Necessity

When training is only introduced to mark a compliance checkbox, employees can tell. Executives choose training programs, pass them to frontline managers, who begrudgingly pass them to individual contributors who go through the motions to check the box… or worse, take the test without actually watching the training videos.  

These users are more likely to “do it to do it to say it’s done” rather than apply the concepts and learn how to actually keep the company more secure. But it’s not their fault! So often, the focus of training is on all the things employees can do wrong and all of the ways bad actors are smarter than they are. All of the ways they can cost the company a lot of money. It’s meant to incite fear, can be stressful, and just doesn’t get the job done. 

No Actionable Data and Insights 

It’s hard to show the return on investment (ROI) in security awareness training, since the metrics used to measure its success are often vague or useless. This makes it hard for a CISO to prevent their training budget from being cut. Some companies are then forced to choose the most affordable training program— not realizing that it’s likely cheaper for a reason. Whether the lessons are presented in a boring, cut-and-dry fashion or the material itself is dated, the format and quality of the education may be a bottleneck in their employees’ learning and retention. 

Fear-Based Repercussions 

A common way businesses push cybersecurity awareness is through fear-based motivation, scaring employees with threats like “if you do this or don’t do this, a bad thing will happen and you’ll get in major trouble.” While this paranoia may yield quick one-off results— like inspiring an employee to update an antivirus software— it’s important to recognize that fear is a short-term emotion. In the long-term, it can be both ineffective and toxic to your work culture, creating an environment where you employees don’t feel trusted or autonomous. 

Traditional Security Awareness Training Just Doesn’t Work

When employees start their training, rarely do managers explain to the staff why better security matters beyond the compliance checkmark. The employees are often never told about the ROI of strong customer trust and saved time, money, and headaches of not facing a breach. 

Instead, employees are threatened with the punishment of feeling shamed or even being fired for their mistakes. “Fear can leave employees in a constant state of anxiety, which makes them unable to think clearly about threats,” explains The Wall Street Journal, “Alternatively, such heavy-handed, scare messaging can make employees disgruntled and uninterested in security, thinking that the threats are exaggerated— and that bosses don’t trust them to do the right thing.” Mix that with unengaging training materials and you’ve got yourself one apathetic employee.

Over the years, it’s become more and more clear that the traditional approach to security awareness training of feeding off of FUD (Fear, Uncertainty and Doubt) doesn’t work. This avenue paints employees or end users as the problem in cybersecurity— the weakest link, the “bad guy” who leaves companies vulnerable and open to attacks— when really employees are a business's strongest asset.

The Better Approach...

As it turns out, your users aren’t merely helpless, risk-prone exposure points. Instead, they’re a key part of your defensive security strategy— and should be treated as such. This starts with a crucial mentality shift in how you perceive your team. They are your key to creating an impenetrable defense against cybercrime and should be strengthened, supported, encouraged and motivated. Not shamed. Only then— and with the right educational resources— will they join forces in your higher security initiative. Only then will you see proven, lasting change.

The desire for more pertinent and engaging training materials has spurred a more inventive, playful approach to cybersecurity education: experiential learning. Experiential learning is all about creating an experience for the end user to learn by doing, or “showing (and participating) rather than telling” the student ways they can champion your cybersecurity initiative. 

A prime example of this practice in action is the use of escape rooms to simulate cyber threats, encouraging employees to come together to problem-solve as a team. With 2020’s COVID pandemic making it harder to host in-person events, our team at Living Security was proud to frontier the movement towards virtual escape room-style experiences. With memorable storylines and limited timers increasing the thrill of “winning,” employees feel like they’re playing a game all while learning! 

It’s why global giants like Mastercard are amongst the long list of companies adopting this fresh approach to security awareness training. “We brought a competitive team to the session, so it was easy to stay engaged. We didn’t want to miss a clue,” said Amanda Gioia, vice president of technology risk management at Mastercard. “The story was compelling, and our team was racing against the clock to have the best score compared to other teams on the leaderboard. Each of us learned something from each security-related challenge, and more about each other and how we approach challenges as well.”

Curious to learn more about the benefits of incorporating cyber experiences like this into your own cybersecurity awareness training? Check out the article from SC Magazine.

Getting started

At Living Security, we believe that users must be strengthened, supported, encouraged and motivated with customized, precise training that is not only effective, but also pertinent, engaging, fun and memorable. 

We know that’s a lot to debunk, but we also know that’s the only way to spark PROVEN, LASTING CHANGE in behavior and culture. It’s a concept we call “cybersecurity human risk management”— and we want to show you what it’s all about. 

We’ve identified 7 Essential Trends of Human Risk Management for 2021 and compiled them into one guide, so that you can learn more about the new approach to driving PROVEN, LASTING CHANGE, starting today.

# # # # # # # # # # # #