Building Security Awareness: A Modular Approach

Human risk is a notorious and growing weak spot in cybersecurity. Cyberattackers are becoming better every day at reaching out to employees and duping them into handing over their, and their companies’, valuables. Cybersecurity awareness training programs are hard-pressed to keep up. So, employees continue to reuse passwords, click on malicious links, and download unauthorized collaboration tools — forgetting or even dismissing what they’ve learned in often perfunctory training sessions.

The trend line is troubling. Nearly half of security professionals polled for Mimecast’s State of Email Security 2023 report say that insufficient employee awareness of even the most well-known threats is one of the biggest email security challenges they face this year. 

Clearly, cybersecurity awareness training needs to break through to a new level of effectiveness, to actually change employee behaviors and company cultures, not just elevate awareness. This sets a higher bar, requiring training that is more timely, targeted, relevant, and engaging. Experts recommend implementing a continual program including monthly training assignments, updates on new attack trends, and just-in-time reminders that are triggered when a security system detects an employee engaging in risky behavior, such as opening a suspicious attachment. 

5 Ways to Improve Cybersecurity Awareness Training Assignments

Training assignments are typically delivered online, including short, informative videos reinforced by brief, interactive Q&A sessions or games and follow-up testing.

The most effective training modules have these five traits in common:

• Entertaining
• Timely/Frequent
• Varied/Relevant
• Interactive
• Tested

A well-designed, modular approach can move the needle on cybersecurity awareness training to effect behavioral change — as in, instilling instinctively careful responses to perceived cyber risk, according to an Osterman Research report.[1] From there, it should aspire to the next level — a cultural shift in which employees consider themselves part of the solution to their organization’s cyber risk.

Entertainment Value Boosts Results 

Employees find it difficult to engage with training programs that are boring — a point underscored in Mimecast’s whitepaper on Teaching Good Security Behaviors with Seinfeld. The paper emphasized the importance of scripting videos that draw in viewers using humor and character development in an ongoing series.

The Osterman report quantified this correlation between well designed modules and desired changes in behavior by surveying employees’ attitudes toward their cybersecurity awareness training programs. 

At a behavioral level, for instance, 95% of trainees who found their training modules interesting say they feel confident they can report suspicious emails and attachments. Only about 75% of those who found their training to be boring can say the same.

At a deeper, cultural level, only about one in five employees who found their modules boring say that the training had substantially to fundamentally changed the way they think about security. Nine out of 10 of those who found training very interesting experienced this change of mindset.

Continual Cybersecurity Awareness Training Keeps Lessons Fresh

People forget. New lines of business create new risks. Cybercriminals come up with better tricks all the time. There are many reasons for continual cybersecurity awareness training. The best practice involves monthly interactive video assignments supported by timely interventions such as alerts when new phishing exploits emerge or warning banners when suspicious emails arrive.

A study of the effectiveness of phishing awareness and education over time suggests the need for continual training. Researchers found that employees’ ability to correctly discern between legitimate and malicious emails improves and remains elevated for about four months after training, but then fades.[2] And keep in mind that phishing is just one of many topics that need to be covered during the course of a year.

Despite this fact, only 18% of security professionals responding to the SOES 2023 survey say they provide ongoing training, while 36% provide it monthly and 31% provide it quarterly.

Multifaceted Threat Calls for Variety of Training Assignments

“Hey, how many z’s are in Amazon?” A silly question, but one that uses humor to drive home a point, in a Mimecast security awareness training video about holiday shopping scams. “At least three,” replies the devil’s advocate, while the earnest instructor in the video assures otherwise.

Visiting a spoofed website that phishes passwords is one of the many employee mistakes that contribute to a company’s cyber risk. In the SOES 2023 report, security professionals’ concerns about employees include online shopping at work, but also:

• Reuse of weak passwords
• Use of personal email for work
• Reliance on unauthorized cloud storage and collaboration

Training assignments should address these topics and others applicable to a company’s specific needs. The more relevant that security awareness training is to a particular job, department, or industry, the more likely it will resonate with trainees. Thus, assignments should also vary by job description (CEO, finance department manager, new employee, general staff), desirable habits, data risks, attack types, and regulatory compliance requirements. Examples from Mimecast’s library include:

• “Hook, Line, and Sinker,” for CEO spear-phishing
• “No Factor Fridays,” on multi-factor authentication
• “Rainbows and Unicorns,” on identity theft
• “Your Gift Has Shipped,” on spoofed notifications
• “This CCPA Thing,” on the California Consumer Privacy Act

Interactivity and Testing Make Awareness Training Stick

Quizzes, games, rewards, and other interactivity increase engagement and drive home the point of any assignment, helping to make it stick. They also make it possible to score employees on their awareness and behavioral risk in order to identify needs such as follow-up training.

While user test scores provide a good indicator, the rubber really meets the road when a company can draw on real-world employee behaviors observed by secure email gateways to help customize individual training efforts for high-risk users and discourage risky decision-making as it occurs. Such integrated awareness training is becoming a best practice in the field of cybersecurity.

The Bottom Line

Today’s attackers have more direct channels to employees, and their scams are increasingly difficult to discern from legitimate communications. How can a typical employee fend off such an onslaught? If your company’s answer is an annual cybersecurity awareness campaign, when the security team dusts off a few stale training videos during Cybersecurity Awareness Month, you may be in for a rude awakening.

Instead, experts say to run a continual program including assignments with engaging video reinforced by interactive components and testing. Research has proven this modular approach to be more effective in elevating employees’ awareness, behavior, and contribution to an overall culture of security. In addition, measuring the efficacy of training programs ensures the program is performing well overall and is tightly aligned to your objectives Read how Mimecast’s offerings help meet these goals.

[1] “Security Awareness Training as a Key Element in Changing the Security Culture,” Osterman Research

[2] “An Investigation of Phishing Awareness and Education Over Time: When and How to Best Remind Users,” USENIX