Security awareness

7 research-backed tips to improve your security awareness training

Tyler Schultz
December 2, 2019 by
Tyler Schultz

We love talking to clients and security practitioners about exactly what’s working at the ground level of their security awareness programs. However, sometimes it’s helpful to take a step back and look at the security awareness space from a research data perspective.

That’s why we were so eager to host a webinar with Michael Osterman from Osterman Research to discuss not only the data from his latest security awareness research, but also seven best practices to act on the findings. Here’s what we learned.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

All data and images were provided courtesy of Osterman Research’s downloadable report Best Practices for Implementing Security Awareness Training.

1. Be flexible to your corporate culture

Enthusiasm and support levels vary not only from company to company, but even within companies in different departments and management levels.

Instead of forcing security training based on what you think is most effective, work with senior management and employees alike to develop a strategy that blends your security awareness program with your existing corporate culture.

Views on security training

2. Make sure training covers everything relevant to your organization

68% of security practitioners rank data breaches, phishing attacks and CEO fraud attacks major concerns. It’s easy to assume your employees share your security concerns, but it's much more likely that under-trained employees lack both the ability to spot security threats and a true understanding of attack consequences. A breach only takes one oversight, so remember to focus not only on your greatest threats, but also to train for all possibilities.

3. Schedule phishing simulations at random intervals

Only 5% of security practitioners report phishing and spearphishing as a decreasing threat at their organization. Whether you’re trying to decrease your phishing rate or maintain your workforce’s phishing defenses, your phishing simulation tactics are extremely important. Think strategically about simulation effectiveness over quantity of phishing simulations alone. Schedule phishing simulations in random intervals to eliminate your employees’ ability to predict your phishing email cadence and track behavioral change over time.

4. Training frequency is key

If you want security awareness best practices to stick, you need to keep security top of mind. The question is: what is the right training frequency and how should training be delivered? Although there is no magic number, shorter bursts of training distributed more frequently are most effective. By layering training exercises with ongoing phishing simulations and event-activated learning to link training to real events, you can automatically deliver training at the most effective frequency.

Security awareness training frequency

5. Tailor training to the right groups

The most effective security awareness programs deliver the right training, to the right people, at the right time. This means delivering training tailored to your company’s industry and your employees’ roles, as well as triggering relevant training in the most teachable moments. Despite its effectiveness, only 27% of security practitioners report using a human firewall approach to run a complete security awareness program. When building or improving your security awareness program, start with tailored training for the most immediate impact and continue to integrate training exercises into the day-to-day workflow of employees. This will build security into the fabric of your company and drive real behavioral change.

6. Focus on behavioral change

On average, security professionals see technical infrastructure as a more useful tool for stopping security incidents than security awareness training. While security awareness training shouldn’t replace technical controls, it’s important to remember they work hand-in-hand, not independently. Physical infrastructure is great at preventing attacks until a phishing email hits an employee’s inbox or a targeted attack goes undetected. It’s important to look at security training in terms of the behavioral change it drives rather than a compliance requirement or philosophical pursuit. Not only is behavioral change the ultimate end-goal of your training, but it's also measurable. Focus on phishing rates, number of employee-reported emails and events blocked by endpoint protection to back your security awareness program with data.

Security training vs physical infrastructure

7. Don’t punish mistakes

On average, security professionals report relatively low confidence in their employees’ and senior executives’ ability to properly handle phishing and spearphishing attempts. Having limited confidence in employees’ ability to handle security threats makes it even more important to treat security incidents as learning opportunities rather than fuel for punishment. Punishing clicks on phishing links can drive fear and even promote shame or secrecy around security incidents rather than encouraging information sharing and security awareness.

Security professionals' confidence in users' abilities

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Improve your security awareness training with Infosec IQ

Infosec IQ provides phishing simulation and security awareness training in one automated platform to engage and motivate all learners to care about security, improve their personal security defenses and report suspicious activity. With library of 1o00+ realistic phishing simulations and more than 700 training modules, assessments and support resources, Infosec IQ can not only help you implement Osterman’s seven research-backed tips, but also help you build and measure your entire security awareness program.

Request a Demo
Tyler Schultz
Tyler Schultz

Tyler Schultz is a marketing professional with over seven years of experience delivering SaaS solutions to organizations of all sizes. As a product marketing manager at Infosec, he is dedicated to helping organizations build strong cybersecurity cultures and meet their security awareness goals. He helps the Infosec team push the boundaries of effective and engaging security awareness training with a focus on experiential learning, gamification, microlearning and in-the-moment training. Tyler is a UW-Madison and UW-Whitewater graduate and Certified Security Awareness Practitioner (CSAP).