How to
Jonathan Crowe
Oct 2015

5 Common Mistakes Guaranteed to Make Cybersecurity Awareness Training Ineffective

Photo by Source

Cybersecurity Awareness Training Mistakes

With recent studies confirming what many IT pros have long suspected — that employees are the single weakest link in security infrastructures — it makes sense that employee education has become a top priority. 

According to CloudEntr's State of SMB Cybersecurity in 2015 report, an overwhelming 89% of companies considering changes to their security policies plan on investing primarily in ways to better educate their employees. 

What's less obvious, however, is how to ensure that increased investment is applied effectively so that it actually yields positive results. That's where things get tricky. After all, what security training often comes down to is changing employee behavior. And that is never easy.

There's been no lack of debate around the overall effectiveness of cybersecurity awareness training, but if you're going to devote the time and resources, you owe it to yourself to avoid five common mistakes guaranteed to make it fall flat.

1) Not connecting the dots between security and employees' existing priorities & goals

“When we’re working in our capacity as security advocates — or just as people trying to convince others to do something we think would be beneficial — determining what ‘beneficial’ means to our audience should be step one before presenting our suggestions,” says Lysa Myers, Security Researcher at ESET.

There are people out there whose most important goals are along the lines of “responding quickly in an emergency,” “raising employee morale,” or “the free flow of information.” These goals are not necessarily contradictory to security, but it may seem so if these concerns are not specifically addressed in our educational pleas.

2) Overdoing it instead of keeping it dead simple

“Training is not about making end-users InfoSec experts. It's about sharing just enough information to foster some key behaviors,” says Corey Nachreiner, CTO, WatchGuard. “In other words, if you are training them about buffer overflows flaws, you're doing it wrong. Instead, you should be training them about how to recognize phishing emails or how to interact with unsolicited attachments. In the end, you want them to know enough about the potential problem that they will adopt the right behavior.”

“Don't spout acronyms without explanation, Nachreiner advises. “In short, don't speak in the same shorthand you use with peers. Even if you think a term or acronym is well recognized, spend the extra minute to explain it.”

3) Forgetting the part where you provide clear guidelines

"We shouldn’t judge too harshly when others don’t yet understand or prioritize security," says Barkly co-founder and CTO Jack Danahy. "Instead, we need to be up front with them, explain our security choices, and repeatedly outline what we expect from them." The big take away?

"Make explicit the behaviors you want to see and the practices you expect people to adhere to."

That may sound simple enough, but as you look for new and novel approaches to cybersecurity awareness training, don't forget the importance of providing simple, clearly defined guidelines.  

"Employees and partners will certainly skew to doing what’s right," Danahy says, "but they are much more likely to succeed when we consistently help them understand what that means."

4) Not making your examples personal

Believe it or not, “you can have a little fun with cybersecurity," says John N. Stewart, SVP, Chief Security & Trust Officer at Cisco. "I like to make these things personal. That means I’ve taken examples of employees where they’ve gotten themselves into an upside-down situation because they double-clicked this, installed that or whatever, and they just become the voice and go, “You know what, guess what I didn’t realize until today.” 

They’ll make videos, they’ll give quotes, they’ll write a blog, laugh with us. That makes it personal because it was a friend, it was a colleague. It was something that happened at Cisco, not something that happened somewhere else.

5) Not giving employees any incentives 

When asked about the successful of cybersecurity awareness training at Salesforce, Senior Director of Trust Engagement Masha Sedova explains it all comes down to "what we call discretionary performance — getting people to want to do security instead of [feeling like] they have to. The way we do that is by including elements like gamification, positive incentives, rewards, and recognition to get people to understand these are behaviors we would like to see them do, and actually reward people when they demonstrate them, as opposed to just punishing bad behavior."

"A key component of a successful security awareness program is making our employees actually get their hands a little bit dirty with the things we’re asking them to do," Sedova says. "Plus, we all like to get a “thank you” or a high-five for good behavior, and that is something that’s irrelevant of the type of company you work for or the size."

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.