In honor of National Cybersecurity Awareness Month (NCSAM):

A new perspective challenging the notion that ‘Content is King’ in Security Awareness Training

In the past few years, security awareness training traditional vendors such as KnowBe4 and Proofpoint have promoted annual awareness refreshers for employees. These solutions include long content libraries and elaborated videos made accessible to enterprise employees with hope that they will be consumed, digested, and generate a change in the organization’s cyber security culture.

Some of the vendors acquired multiple production companies and invested heavily in video casting and production. The rationale behind these efforts was probably the typical conception of ‘the more the better’ – if we dazzle employees with enough bells and whistles, they will surely pay attention.

Some of the vendors acquired multiple production companies and invested heavily in video casting and production. The rationale behind these efforts was probably the typical conception of ‘the more the better’ – if we dazzle employees with enough bells and whistles, they will surely pay attention.

But do they?

Thanks to various commercial techniques and incentives, these content-heavy programs have become the norm among certain industries. First, among many SMBs and gradually with larger companies. SAT programs have even made it all the way to the house of representatives.

But security leaders globally are reporting concerning data, indicating that these vast content-driven methods fail to deliver on their promises:

  • Employee engagements is low (often less than 30%)
  • Infrequent annual training cadences are proving to be ineffective – hence the number of cyber attacks originated by human errors continues to grow
  • Measuring progress and quantifying behavioral change is challenging 
  • These training methods burden employees and IT teams alike, often creating frictions

So while enterprises continue to implement content-heavy solutions, we hear from InfoSec leaders that their ability to fully materialize the investment and demonstrate ROI is often impossible.

What would a straightforward protocol look like?

  1. With 48 working weeks each year, content should be broken down into smaller and more granular bites, distributed to employees via email regularly 
  2. A short True/False quiz can conclude each email and reinforce employees’s knowledge to increase engagement
  3. IT can track each opened email, and monitor correct /incorrect responses in order to measure progress

See how Ian Patrick from Menzies Distribution uses lean content to power his security awareness training program:

What are the advantages of a “lean content” approach?

  1. Shorter sessions are more accessible for employees to consume, so their engagement is guaranteed to be higher
  2. Multiple learning opportunities are most likely to be proven more effective than once a year/quarter sessions
  3. With real-time monitoring of employee engagement as well as the quality of their responses, it would be easy for IT to ensure that real learning (the end goal) takes place.
  4. The lower burden on employees could reduce friction with the InfoSec team and helps build a more positive cybersecurity culture

Expected Security Behaviours

To read more about this approach, checkout CybeReady’s CAB (Continuous Awareness Bites) – which offers bite size security awareness training modules, embedded in employee daily routine. 

Dozens of large modern enterprises have already adopted this approach and are seeing high engagement and shift in security culture. They are so passionate about their experience, that they are happy to share it with other InfoSec leaders (see our virtual event series with leading customers)

If you’d like to hear more, request a product demo and we will take you on an exciting CAB ride!

Author:
Shlomi Gian
October 14 2020
4a34e52d-562b-4e1e-8b71-5c005a7559a9