7 research-backed tips to improve your security awareness training
We love talking to clients and security practitioners about exactly what’s working at the ground level of their security awareness programs. However, sometimes it’s helpful to take a step back and look at the security awareness space from a research data perspective.
That’s why we were so eager to host a webinar with Michael Osterman from Osterman Research to discuss not only the data from his latest security awareness research, but also seven best practices to act on the findings. Here’s what we learned.
Phishing simulations & training
All data and images were provided courtesy of Osterman Research’s downloadable report Best Practices for Implementing Security Awareness Training.
1. Be flexible to your corporate culture
Enthusiasm and support levels vary not only from company to company, but even within companies in different departments and management levels.
Instead of forcing security training based on what you think is most effective, work with senior management and employees alike to develop a strategy that blends your security awareness program with your existing corporate culture.
Views on security training
2. Make sure training covers everything relevant to your organization
68% of security practitioners rank data breaches, phishing attacks and CEO fraud attacks major concerns. It’s easy to assume your employees share your security concerns, but it's much more likely that under-trained employees lack both the ability to spot security threats and a true understanding of attack consequences. A breach only takes one oversight, so remember to focus not only on your greatest threats, but also to train for all possibilities.
3. Schedule phishing simulations at random intervals
Only 5% of security practitioners report phishing and spearphishing as a decreasing threat at their organization. Whether you’re trying to decrease your phishing rate or maintain your workforce’s phishing defenses, your phishing simulation tactics are extremely important. Think strategically about simulation effectiveness over quantity of phishing simulations alone. Schedule phishing simulations in random intervals to eliminate your employees’ ability to predict your phishing email cadence and track behavioral change over time.
4. Training frequency is key
If you want security awareness best practices to stick, you need to keep security top of mind. The question is: what is the right training frequency and how should training be delivered? Although there is no magic number, shorter bursts of training distributed more frequently are most effective. By layering training exercises with ongoing phishing simulations and event-activated learning to link training to real events, you can automatically deliver training at the most effective frequency.
Security awareness training frequency
5. Tailor training to the right groups
The most effective security awareness programs deliver the right training, to the right people, at the right time. This means delivering training tailored to your company’s industry and your employees’ roles, as well as triggering relevant training in the most teachable moments. Despite its effectiveness, only 27% of security practitioners report using a human firewall approach to run a complete security awareness program. When building or improving your security awareness program, start with tailored training for the most immediate impact and continue to integrate training exercises into the day-to-day workflow of employees. This will build security into the fabric of your company and drive real behavioral change.
6. Focus on behavioral change
On average, security professionals see technical infrastructure as a more useful tool for stopping security incidents than security awareness training. While security awareness training shouldn’t replace technical controls, it’s important to remember they work hand-in-hand, not independently. Physical infrastructure is great at preventing attacks until a phishing email hits an employee’s inbox or a targeted attack goes undetected. It’s important to look at security training in terms of the behavioral change it drives rather than a compliance requirement or philosophical pursuit. Not only is behavioral change the ultimate end-goal of your training, but it's also measurable. Focus on phishing rates, number of employee-reported emails and events blocked by endpoint protection to back your security awareness program with data.
Security training vs physical infrastructure
7. Don’t punish mistakes
On average, security professionals report relatively low confidence in their employees’ and senior executives’ ability to properly handle phishing and spearphishing attempts. Having limited confidence in employees’ ability to handle security threats makes it even more important to treat security incidents as learning opportunities rather than fuel for punishment. Punishing clicks on phishing links can drive fear and even promote shame or secrecy around security incidents rather than encouraging information sharing and security awareness.
Security professionals' confidence in users' abilities
See Infosec IQ in action
Improve your security awareness training with Infosec IQ
Infosec IQ provides phishing simulation and security awareness training in one automated platform to engage and motivate all learners to care about security, improve their personal security defenses and report suspicious activity. With library of 1o00+ realistic phishing simulations and more than 700 training modules, assessments and support resources, Infosec IQ can not only help you implement Osterman’s seven research-backed tips, but also help you build and measure your entire security awareness program.
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- 7 research-backed tips to improve your security awareness training
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness