Platform

Unify HRM Overview

Platform

Capabilities

Identify: HROC Dashboard
Human Risk Quantification (HRI)

Insights

Benchmarking

Protect: Action Plans
Nudges: Communications & Employee Scorecards

Training: Risk Based SAT and Phishing

Orchestration: Policy Playbooks

Report
Report
Measure progress and ROI of action plans

Board and Executive Reporting

Manager Reporting

Bundles

Unify Go
Start your journey to HRM here.

Monitor risk by:

Security Training Compliance

Phishing and Email

Unify Enterprise
Covers risk in Unify Go and adds:

Malware & Ransomware

Data Loss

Account Takeover

Featured Resources

Living Security Blog
What is Attack Surface Management?
link

Living Security Blog
Why Your Team Should Have A Business Continuity Plan
link
Solutions

Solutions Overview

Solutions

By Role

CISO
Provides CISO’s, executives, and boards a complete picture and prioritization of workforce risk by type, department, location, and more.
link

Security Awareness Team
Go beyond training completion and phishing click rates and proactively safeguard your organization from human-induced security incidents.
link

GRC
Identify, resolve and track commonly violated policies with granular accuracy to lower risk and improve workforce compliance.
link

SOC/IR
Unleash the true potential of your human firewall with data-driven insights and action plans that curb threats before they become incidents.
link

By Risk

Training Compliance
Monitor training compliance status for users and segments across the enterprise.
link

Phishing & Email
Identify the users most and least at risk to social engineering attacks and protect them.
link

Malware & Ransomware
Proactively protect users from malware including viruses, worms, Trojan viruses, spyware, adware, and ransomware.
link

Data Loss
Pinpoint when data is at risk of leaving your controlled environment through unauthorized access or malicious intent.
link

Identity Threats
Get visibility into the most susceptible users for account compromise and mitigate their risk.
link
Products

Products

Products Overview
Transform how your organization approaches Security Awareness and Training by shifting to a proactive HRM approach that creates a strong culture of security.

Living Security Blog
What is Attack Surface Management?
link

Unify Human Risk Management
Establish a proactive security loop.
Security Awareness Training
Interactive compliance training for modern threats.
CyberEscape Rooms
Put your team in the center of security scenarios
Cybersecurity Awareness Month
Create a cyber vigilant workforce in October
Cybersecurity Engagement Training Go beyond compliance training Phishing
Stop social engineering attacks in their tracks with realistic simulations and training
across phishing, vishing, smishing, and more.
HRM

HRM

Human Risk Management: Proactive Security
Human Risk Management (HRM) is the process of identifying, assessing, and mitigating risks associated with human behavior in relation to an employee's use of technology.
HRM Maturity Model
How far is your company along the path to true proactive security?

Living Security Blog
What is Attack Surface Management?
link
Resources

Resources

Resources
Level up on Human Risk Management with a comprehensive collection of webcasts, whitepapers, ebooks, and more.
Blog
Access hundreds of informative blogs with deep dives and best practices relating to the full array of cybersecurity risks we face.
Webinars
Watch dozens of webinars tackling some of cybersecurity’s biggest challenges featuring thought leaders from leading organizations.
Case Studies
See how a variety of organizations utilize Living Security’s HRM Platform, Training, and Phishing to reduce risk with proactive defense.

Partners
Human Risk Management Powered by Partners.
Technology Alliance Program
Extend the value of your offering with HRM.
Partner Support
Unlock your potential with our partner hub.

Living Security Community Share HRM best practices Newsroom Read the latest news on Living Security. Support
The more you know, the more you grow.
Why Living Security
Establish a proactive security loop.
Start Now

February 25, 2021

Why Your Security Awareness Training Just Isn't Working

Each year you invest in a new cybersecurity awareness initiative— with a large focus on security training.

But despite dumping big dollars into educational videos and resources, you’re not sure it’s all worth it. Employees and management dread the program, complete the bare minimum to pass and rarely retain anything they’ve “learned.”

If you’re feeling like your team isn’t getting the most out of your high-spend security program, the awareness content might not be the only problem...

Here are a few other reasons your training is falling short:

1. You create panic, instead of deep understanding.

It’s not uncommon for IT Managers or Security Awareness Program Owners to roll out their annual cybersecurity training as a requirement. Quite frankly, employees only have themselves to blame for forcing IT to make it mandatory, since they’re dumb enough to fall for security attacks— or at least that’s often the perception.

Security Awareness Program Owners share news stories about the big, scary threat landscape and all the crazy ways hackers are tricking businesses. Of course, these stories sensationalize the disastrous financial and reputational repercussions of said breaches and paint the targeted employees as the bad guys for being easily duped. Employees compare themselves to these foolish victims who should have known better than to fall for a phishing scam.

As a result, you push a culture of FUD (Fear, Uncertainty and Doubt) that makes your team believe you find them untrustworthy. Your team thinks the stories are exaggerated and becomes bitter that you don’t trust them to uphold your security. This creates a general resentment and distaste towards the security initiative. Instead of having an open mind to the training, your team begins with a bad attitude, ready to get it over with to get you off their backs.

What Works Instead

Instead of pushing your security initiative as a FUD campaign, incentivize it. Even if it is a mandatory measure, encourage and reward your team for a job well done instead of highlighting all the things they’re doing wrong. Internally you can analyze their mistakes and push supportive exercises to help them improve, without shaming them for struggles.

It’s important to create a culture where you prioritize understanding over completion of your lesson plans or modules. Anyone could play a few videos without listening and cheat on a recap exam to check the box of “finishing” a course. But by creating a sense of enthusiasm and genuine support of learning you are empowering them to sincerely learn!

Spark your team’s interest in your security program with these seven ideas for deeper engagement.

2. You give employees security awareness, which is not what they care about.

IT Managers and Security Awareness Program Owners know the problem, alright? It’s obviously that their team doesn’t know any better! They’re ignorant to cyber threats and need to be educated. They need to be made aware of risks. Only then can they appropriately spot and report them.

What you may not realize is this isn’t the only problem.

To be blunt, many employees don’t care about your company’s cybersecurity. To them, that’s IT’s job— while theirs is to focus on what you hired them to do. They’re not interested in learning about or upholding your security because they’re not invested in it.

What Works Instead

What they are invested in is their own personal security threats at home. If you can talk about threats in a way that appeals to them personally, your team will learn for their own individual good— as well as the good of your company.

This may involve a slight pivot in messaging, wherein you speak to each departments’ and each human being’s interests. Instead of teaching them about privacy settings for your business, appeal to their desire for better privacy for their children’s online browsing and show them ways to modify it there. Or explain how malware may compromise their personal banking in an effort to help them understand how to better protect your financial information. Don’t be afraid to speak to the concerns of each individual department too, by painting examples that apply to them specifically.

3. You stop short of changing behavior.

Passing a cybersecurity awareness training program is one thing; applying what your team has learned is an entirely different ballgame. Many businesses forget this crucial next step, thinking of their team’s training completion as the end-all-be-all. Employees completed the course and know what to look out for— now the Security Awareness Program Owner's job is done until next year’s training!

The problem with this mindset is that sometimes knowing is not enough: doing makes all the difference. Your team could know they should use the password management software you implemented, but if they’re still storing passwords in a Word document because it’s easier than learning a new tool, that knowledge alone does you no good!

Do you have your security policies clearly spelled out with ways to track your team’s compliance to them? One study featured in Forrester’s 2021 report showed that only 27% of global information workers claimed to be aware of their current security policies, while 8% admitted to straight-up ignoring or going around their security policies!

What Works Instead

A certificate showing that team members passed your awareness training program is great and all, but how are they applying what they’ve learned? It’s up to Security Awareness Program Owners and IT Managers like yourself to lay out specific policies and proceedings for how your team will support your initiative after the program is complete and the rest of the year awaits.

Learn more about how to define and enforce specific behavioral changes by reading The 4-Step Guide to Cybersecurity Human Risk Management.

4. You don’t track your progress.

After you roll out your updated annual security policies and get your team on board with behavioral changes, it’s also your job to track the impact they’re having on your security initiative.

But we know that security success metrics can be hard to define and measure, and many organizations struggle to keep up with progress. Still, in order to show that all-too-important return on investment to execs and get budget approval for next year’s training, you need proof it’s moving the needle.

What Works Instead

It’s time to get serious about tracking! It’s only after you have data about your security initiative’s success that you can analyze it and make positive changes.

This may mean investing in a better security awareness training program that tracks your employee’s results and provides tangible takeaways, instead of simple pass or fail metrics. If you know where each department is struggling, you can offer them the extra support they need. Here at Living Security, our dashboards and tracking features are something worth bragging about, empowering you with all the insights you’ll need to speak management’s language.

Build a Culture of Security

Oftentimes, the initial bottleneck in your organization’s security awareness training success is your company’s culture around security. Luckily, it’s something you have the full power to change!

It’s about advocating your team as your security’s greatest assets rather than your greatest weakness— and it starts with awareness training content that empowers your users instead of scaring them.

That’s exactly what you’ll get with our Campaign in a Box package, which includes instant messages, emails, and other pieces of content in a language aimed at engaging your team, never shaming them.

Request our security initiative resources, today, to create a more positive culture around your training program.