Making Security Awareness Training Effective

Making Security Awareness Training Effective

The consensus among most security professionals is that either traditional training methods do not work or that company officers do not value the needs of such training.  Although I do believe that both have merit, the latter of the two has improved in the last three years, primarily due to some high profile public breaches. 

But maybe we are asking the wrong questions.  Maybe the approach of “how effective is security training” should be “what can we do to make security awareness training more effective.

It starts by accepting the fact that a one size fits all mentality does not exist when it comes to teaching.  People learn differently and to apply the same methodology to everyone is not the best approach. 

Some people learn better using an auditory style, while others learn best physically or logically.   We need to start taking a more methodical approach and incorporate a variety of learning styles and, this is probably the most important method, tie it to a performance metric that is important to the employee.  What do I mean by that? 

In many of the call centers that I have been involved with over the years, they implemented a QAT or Quality Assurance Team.  They were involved with primarily checking the work of the employees to ensure that there were no critical mistakes made with their work.  Critical mistakes could lead to costly impacts to a businesses’ bottom line. Each employee would be evaluated approximately 5 or 6 times a quarter and their overall score would be weighed against the rest of their metrics. 

Give Employees Incentive to Succeed

So why would this matter, you might say?  If quality metrics are weighed high enough, it could impact an employee’s potential for an incentive plan.  I recall the days of my fellow colleagues getting heated every time they received a quality score they felt like they didn’t deserve.  Despite the difference in opinions, the thing I always remember is that it changed the behavior of that person.  Whenever my colleague had to close the call, they did it the right way because it impacted something that they care about, their incentive eligibility.

Coming full circle, why wouldn’t we want to make security awareness training a part of an employee’s performance or quality score?  It is just as important to make employees aware of security threats as it is to ensure that they verify a caller or prevent someone from walking into sensitive areas without credentials.  Now that we have secured a reason why they should care it time to focus on learning methods.

As I stated prior, people learn differently and the best way to teach people about security is not just focusing on computer based training or videos to get the point across, but incorporating real-life simulations with targeted employees and giving immediate feedback as it happens.  A universal example would be tailgating. 

Tailgating is when an employee badges into a sensitive area, like an employee entrance or production area and allows someone without a badge to piggyback or “tailgate” without using their own access credentials.  So when the Simulator has successfully tailgated an employee, they should pull them aside and explain to them with a security guard or a manager present, the importance of ensuring they do not become a victim and suggest mitigation techniques.  In turn, the security guard should report the incident directly to the employee’s manager for record and the manager should update the employee’s quality or performance file. 

Conversely, if the tailgating attempt is unsuccessful by an employee, it is important to let the employee know they passed the simulation for two reasons.  One, it reinforces positive behavior and two, undoubtedly, that employee will echo their experience with other teammates giving off a vigilance effect.  This type of experience will appease to those that learn physically, visually, verbally as well as socially (to others).  The same thing can be achieved by phishing attempts.

Phishing is a social engineering attack that focuses on deceiving an individual by pretending to be a reputable person or organization.  It is commonly deployed by email but other methods include by phone or in person.  The goal is for the target to give up their credentials or critical information so that the perpetrator can gain access to sensitive information worth value.  

One of the most common simulations available is sending an employee a well-crafted email from a source that appears to be legitimate.  When the employee clicks on it, the screen opens a series of web pages with loud alert sounds.  A splash page follows with the company emblem letting them know that they have just participated in phishing simulation.  After they review the information and submit their acknowledgement of the simulation, QAT updates the employee file and the manager is copied for additional follow up. 

Phishing Alerts for Potential social engineering simulation

On the flip side, if the phishing attempt is reported to the appropriate party (i.e. Designated Security Team or Manager) by the employee or expires (due to employee deleting the email), then the employee and the QAT are made aware.  This should appease to those that learn verbally, visually, physically, socially and logically.

Now I know that there are many other learning styles that I may not have accounted for; to my defense, there are many other methods of attack that contribute to cyber security.  The point is, that it is important to incorporate different methods with the mindset of what works with a multitude of learning styles.  Equally important, is to tie the importance of security with a metric that impacts the employee so that it matters to them. 

As security professionals, it may be ideal to inquire with the organization if this is currently in place.  If not, this would be a powerful recommendations.  One of my favorite quotes is by Steve Conrad formally of MediaPro, “it’s not just about providing security training, it’s about providing educational experiences that change behaviors.


Drawing on over two decades of experience in the Information Technology industry, I have acquired a diverse range of roles that have shaped my distinctive outlook. Through this journey, I have developed into an accomplished authority in risk management, catering to Fortune 500 companies and small businesses on a global scale. Over the past 12 years, my primary focus has centered on empowering small business owners and insurance professionals to comprehend the ramifications of cyber incidents and effectively mitigate the risks associated with potential data breaches. My passion for cybersecurity has inspired me to create the Sage Knows IT blog. Through this platform, I aim to help small business owners and aspiring IT professionals understand the roadmap of the IT industry based on my experiences. Information Technology and Information Security are crucial for our future, and I hope my blog will motivate those who are interested in joining this ever-evolving field.

Related Posts

Title Image: AI Security Realities: Rethinking PII as the Sole Indicator

AI Security Realities: Rethinking PII as the Sole Risk Indicator

During a client meeting, I addressed misconceptions about cybersecurity, especially the notion that absence of PII equates to no risk. I discussed how cyber threats extend beyond data theft to include system vulnerabilities that could disrupt operations and impact users, citing the SolarWinds and New York Times attacks as examples. I explained that comprehensive assessments are crucial for understanding broader cybersecurity risks, not just those involving PII. Additionally, I highlighted the importance of protecting AI models from poisoning, underscoring the need for robust security measures in AI development.

10 Ways to Improve Your Math Skills for Cybersecurity

10 Ways to Improve Your Math Skills for Cybersecurity

As highlighted in our earlier discussion, The Intersection of Math and Cybersecurity, a solid grasp of mathematics is indispensable within the realm of cybersecurity. The specific demands…

The Intersection of Math and Cybersecurity - Does Cybersecurity Require Math?

The Intersection of Math and Cybersecurity

During my weekend exploration of a renowned Q&A platform, I unexpectedly encountered a question that left me intrigued. I couldn’t help but wonder if the original poster (OP) was playfully jesting or sincerely seeking knowledge. This curious moment brought forth a reminiscent smile as I recalled the age-old adage we all encountered during our early school years: “Math is fundamental to all endeavors.” However, an interesting twist emerged: Does this axiom extend its influence into the intricate realm of Cybersecurity?

Client Confidence Crisis: How Neglecting Security Practices Can Drive Customers Away

In today’s digital landscape, establishing an Information Systems Security Program (ISSP) is no longer optional but a crucial necessity for organizations. This blog post explores the vital importance of implementing an ISSP early on and understanding the factors that influence its establishment and modification. Senior management’s role in championing ISSPs is emphasized, as their buy-in and recognition of its significance set the tone for organizational security practices.

However, misconceptions and flawed reasoning often hinder the adoption of robust security measures. From the belief that “it will never happen to us” to relying solely on insurance coverage, these notions can prove detrimental to an organization’s security posture. Furthermore, assumptions that clients don’t care about security or that the cloud provides ultimate protection are debunked, shedding light on the evolving expectations and regulations surrounding data protection.

The ugly truth emerges as we delve into the constant threat of internet vulnerability scans and the risks organizations face when vulnerabilities are discovered. This post aims to dismantle these flawed mindsets, highlighting the need for a comprehensive security approach beyond insurance coverage and the importance of addressing vulnerabilities proactively.

Stay tuned for the upcoming parts of this conversation, where we will explore additional influential factors and provide insights into developing effective ISSPs. Together, let’s navigate the complex world of system security and ensure the protection of your organization’s invaluable assets.

Maximizing Email Security: Understanding the Importance of DKIM, SPF, and DMARC

Email is a crucial part of our daily lives, but unfortunately, it’s also a popular target for cybercriminals who use various tactics like spam, phishing, and spoofing to scam people. The FTC recently issued a warning to users of MetaMask and PayPal about phishing scams that are currently circulating through fake emails. The scam claims that the user’s cryptocurrency wallet has been blocked and encourages them to click a link and update their wallet to prevent the loss of their crypto. To protect email users from these threats, authentication protocols like DKIM, SPF, and DMARC are strongly recommended.

Top 10 Cybersecurity Job Sites

Top 10 Job Sites for Cybersecurity Professionals

As the world continues to rely heavily on technology, the demand for cybersecurity professionals continues to grow. Cybersecurity jobs offer high salaries, job security, and a wide range of career options. However, finding the right job can be challenging.

This Post Has One Comment

Comments are closed.

RSS109
Twitter638
YouTube0
YouTube
Pinterest0
fb-share-icon
LinkedIn
Share