Human Risk Management—Why Security Awareness Training Is the Wrong Goal


Posted on

Are my employees less likely to fall for a breach attempt? This is the ultimate question that security awareness program owners should ask. Instead, because of a lack of tools and resources, and low-quality training content to choose from, too many security awareness program owners are left with, “Hey, at least we passed our security audit.”

Checking the box feels good. It means something got done, time to move on to something else. We check boxes all the time: shopping lists, shows to binge-watch and, far too often, we also check the box for cybersecurity. 

The headlines are dominated by stories of what happens when all we do is check the cybersecurity box. The reality is that most cybersecurity programs assume technology can stop everything and underestimate the human impact that ultimately determines whether cybersecurity is successful or not. 

In cybersecurity, even though we throw multiple layers of technology at the problem, more than 80% of breaches are caused by human error. It’s easy to see why so many enterprises say more technology should be the answer—people are too unpredictable and not tech-savvy enough, plus, changing their behavior is too difficult. 

The Problem with Check the Box for Cybersecurity

Compliance audits are fun—said no one ever. This may be part of why most of us have such a low expectation for the quality of the security awareness training we endure each year. We do it because we have to, not because we want to—so the goal ends up being just as low as our expectations, to check the box.

Security awareness training is basically a good effort, in the right direction, and it gets us to the point where 79% of employees say they can recognize a phishing message. The problem is that 49% of this same group admitted they have clicked on links from unknown senders while at work. 

Awareness doesn’t equal a change in behavior. We need to be compliant with necessary guidelines and regulations, but the intent of those rules is to make employees more secure, so they know how to recognize and properly react to potential threats.

Why Compliance-Based Security Awareness Training Fails

Cybercriminals are actually quite clever. They research cybersecurity technologies to identify product-level settings and data retention policies, and deploy multi-stage, delayed detection attacks that strategically piece together an attack that avoids drawing attention to their activities. Even the best, layered-defense strategy isn’t enough to prevent these because they just need one person to let a tiny piece of code into the network. They don’t need to breach the CEO or head of finance to get the valuable data they’re after, and they will socially engineer their way into going after employees that aren’t expecting to be targeted. 

This is why every employee needs to be ready. 

When the focus has been, and for many organizations remains, “Are we compliant?” cybercriminals easily stay ahead of the organizations. When checking the box for training is the goal, stale, boring, repeated content and once-a-year compliance training is all too common. 

We need to be focused on the real goal, to answer the ultimate question, “Are my employees less likely to fall for a breach attempt?” This is what Human Risk Management is all about.

Turning Humans into Your Best Asset

In order to make every employee a security champion, it’s important to first accept that one size does not fit all. Different groups and departments require different training because they face different types of threats, and every employee has different strengths and weaknesses.

Here are some of the key items your Human Risk Management platform should deliver: 

  • Automates the analysis to help identify problem areas about which users and groups need to be strengthened
  • Personalizes the type and level of security training to the audience so they know what to look out for and how to respond
  • Trains for the next threat with current, updated content, not just check-the-box compliance modules
  • Engages users with a fully gamified platform to reinforce learning and improve retention

Take a scientific approach to analyzing human risk factors, and combine that with engaging and experiential learning so that employees not only get the training they need, but enjoy the experience, thus retaining practical knowledge about what to do when faced with a threat.

Human Element Risk Management & Governance

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs