Employees are more likely to buy into and act on cybersecurity awareness training when they’re interested by the content, according to a new study conducted by Osterman Research.  

Key points:

  • The end goal of awareness training is systemic change within an organization, not just behavioral changes among individuals.
  • Those who are interested by their cybersecurity awareness programs are more likely to report threats and practice good cyber hygiene.
  • Cultural and systemic changes start at the top, with senior management and IT leaders.

What’s more important in protecting your company against cybersecurity threats: technology or users? Admittedly, it’s a bit of a chicken-or-the-egg type paradox — each relies on the other in order to achieve the end goal of cyber safety.

When Mimecast posed this same question to participants in a survey, 78% of IT/security decision makers and influencers responded that technology and user awareness training in combination are equally effective in minimizing cyber risk. But between those who chose just one of the two options, security training was the winner.

An SE Labs test in 2020 found that the total accuracy rating for Microsoft Office 365 Advanced Threat Protection was just 28%, while third-party security solutions in the same test had an accuracy rating of 94%. Even if an organization has invested in a best-of-breed security vendor to filter out 94% of threats, how employees interact with that remaining 6% is absolutely crucial.

Mimecast sponsored an Osterman Research study, The Truth About Cybersecurity Training, to get to the bottom of how to make awareness training most effective. We found that on top of spurring behavioral change, organizations need to engineer systemic change in their company cybersecurity culture.

The best way to do that? Pique employees’ interest.  

Behavioral vs. Systemic Change

Creating a cybersecurity awareness culture is something organizations continue to struggle with. Recent studies and examples illuminate this problem. An Osterman/MediaPro study found that one in three employees believe there is little to no security risk in not securing a laptop or mobile device with a password — a dangerous falsehood. In December 2020, GoDaddy sent employees a phishing simulation promising a one-time $650 holiday bonus if they filled out a form by the end of the week. 500 employees failed the test. Imagine the damage if that had been a legitimate phishing scam.

Why do these security misconceptions and failed security actions persist?

Cybersecurity training should aim for behavioral change, yes, but for true efficacy, organizations need to inspire systemic change in addition to individual, one-off actions. The process should look something like this:

2021-01-13 12_00_29-WP_TheTruth_CybersecurityTraining_Osterman_final.pdf - Adobe Acrobat Reader DC.png

Genuine Interest Sparks Systemic Change

The Osterman research found that interest is a key way to motivate systemic change. 83% of those who found training ‘boring’ also thought that awareness training was either minimally helpful or altogether useless. Conversely, of those who touted the efficacy of their awareness training, 65% found the program to be at least ‘somewhat interesting’ or ‘very interesting.’ Therefore, the more interested employees are, the more likely they are to buy in to security culture.

There is a similar relationship between users’ level of interest in their security awareness training and the proportion that can report suspicious content. Among those who find their training to be ‘boring,’ only 76% can report suspicious emails and the like. However, among those who find their training to be ‘very interesting,’ 95% can report suspicious content to their IT and/or security teams.

Those who find awareness training ‘very interesting’ were also more likely to update passwords regularly, use unique passwords, enable two factor authentication, and make other security changes — with a majority attributing this personal change to awareness training.

Think of it like a school course. The more interested a student is in a subject, the more likely she is to find it valuable and relevant to real life, and the more effort she will put into her study of it. Meanwhile, a student with no interest in the same subject is more likely to do the bare minimum on a homework assignment just to get it over with.  

Next Steps to Improving Security Culture

Osterman recommends the following action items based off of this research:

  1. Train users with a view toward systemic change. Good security awareness training will result in security-first “muscle memory.” Habits like skepticism about suspicious-looking requests, care in opening attachments or clicking on links, and caution when accessing new networks will become more or less automatic to those properly immersed in good security training.
  2. Get buy-in from the board of directors and senior management. If security awareness training is to be successful, it must first find strong support among those who have the power to make it so. Senior management should view meaningful awareness programs a way to make employees a part of the solution. To set an example, they must also be willing consumers of the training, not merely those ordering others to go through it while not participating themselves.
  3. Figure out if your current culture supports good training. If senior managers are not teachable, if employees are resistant to the idea of change, or if management merely gives lip service to good security awareness training without providing adequate funding and effort to make it happen, the culture simply won’t change.
  4. Make sure that training is adequate and tailored to the organization. While generic training is useful, each industry and organization faces a unique set of threats. Security awareness training must address all of the issues that are relevant to the organization, as well as those that are specific to the industry in which it operates.
  5. Make training interesting and enjoyable. The research reenforces the importance of engaging security awareness content. The more interesting users find training to be, the more effective it is in developing the necessary change in users’ security mindset.
  6. Measure your success and identify areas of improvement. A Forrester research study, sponsored by Mimecast, found that when it comes to security training programs, 45% of organizations do not capture feedback from employees and 33% do not utilize metrics to monitor success. 
  7. Ensure training is more positive than punitive. Security awareness training should be primarily about enforcing positive changes, not punishing negative ones. In fact, research published in the Wall Street Journal found that fear was an ineffective tactic in training employees to be cyber-vigilant, and often backfired.

The Bottom Line

A lot goes into systemic change, but one of the most effective ways to change a communal mindset is through engagement. When people are genuinely interested and invested in something, you won’t need to constantly remind them to do the right thing.

Read the full report here: The Truth About Cybersecurity Training.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Q&A: Best Practices for Building a Culture of Cybersecurity

With cybercriminals increasingly well or…

With cybercriminals increasingly well organized, companies m… Read More >

Mercedes Cardona

by Mercedes Cardona

Contributing Writer

Posted Jan 07, 2021

Fear Doesn’t Train Employees to be Cybersafe, Creativity and Trust Do

Scaring employees is an ineffective way …

Scaring employees is an ineffective way to make them cyber-v… Read More >

Miranda Nolan

by Miranda Nolan

Security Writer

Posted Jan 05, 2021

9 Ways to Build a Robust Cybersecurity Culture

Effective cybersecurity requires a perva…

Effective cybersecurity requires a pervasive organizational … Read More >

Bill Camarda

by Bill Camarda

Contributing Writer

Posted Dec 01, 2020