Security Awareness Training

The Final Frontier in the Fight against CyberCrime

While the variety and sophistication of cybersecurity technologies has expanded exponentially over the last decade, the ability of organizations to defend themselves against security breaches doesn’t seem to be improving. In fact, most evidence suggests it’s actually getting worse. A 2012 study from HP revealed that the occurrence of cyber attacks has more than doubled over the last three years, with organizations experiencing an average of 102 successful attacks per week in 2012, compared to 50 attacks per week in 2010.

As more business is conducted virtually—on computers and mobile devices— the opportunity for criminals to steal valuable information expands. To date, the information security industry has been primarily focused on using technology to secure information. But not much has been done to secure the human element, and as a result, employees have become the primary attack vector of cybercriminals. In a recent report by PwC, 80 percent of companies surveyed had security breaches caused by employees.

Technologies such as antivirus, firewalls, intrusion detection and behavior- blocking components are undoubtedly essential countermeasures in the fight against cybercrime, but unfortunately nearly every cybersecurity technology engineered to protect computer systems and information can be accidentally circumvented by human interaction.

Information security has always required a delicate balance between usability, cost and strength. Building an impenetrable fortress would not only stifle employee productivity but also be cost prohibitive. In the age of IT consumerization, employee demands for increasing mobility and connectivity have made the challenge of maintaining a balanced approach to security even more difficult— a fact that cybercriminals have been quick to exploit to their advantage.

As cyber attacks are growing in sophistication, with evidence that cyber espionage efforts such as Flame are sponsored by nation states, many observers say corporate America is not doing as much as it should to mitigate the threat. New breeds of sophisticated attacks that target vulnerable employees— such as spearphishing, drive-by downloads, poisoned search engine results and mobile malware—continue to debut in droves, while the effectiveness of countermeasures lag behind.

Based on the sheer volume and velocity of attacks waged against unsuspecting and undereducated employees, it is evident that something must be done to shore up this gaping hole in corporate defenses. Maintaining the status quo is no longer a sustainable option because organizations cannot afford to spend increasing amounts of time, money and energy responding to these types of cyberattacks.

Recognizing that humans are still the weakest link in the security chain, many security officers are re-evaluating their approach to cybersecurity training. Most employee-caused security breaches occur through ignorance rather than malice. The old model of herding employees into a classroom once a year (or upon hire) to sit through the boring, antiquated style of training session that emerged 15 to 20 years ago has proven to be ineffective.

Threats are evolving at a rapid pace as employee adoption of mobile computing and social networking has skyrocketed. The old once-a-year “check box” approach to security training cannot keep pace, nor will the creation of a security policy by itself prevent breaches. Wombat Security Technologies’ own research shows that tried-and-true cyberattack methods, such as relatively simple phishing emails, are still hooking up to 60 percent of employees. It is time for employees to understand the importance of security policies and learn how to put them into practice.

While some argue that employees are incapable of taking an active role in cybersecurity, there is strong evidence that supports the effectiveness of education. Research shows that organizations with well-understood security policies suffer fewer breaches, and companies with an ongoing security awareness program suffer 50 percent less breaches. Security officers who retire their old PowerPoint training presentations in favor of new interactive cybersecurity assessment and awareness training software are seeing positive results, including up to a 70 percent reduction in susceptibility to employee-targeted attacks, which translates to fewer breaches and lower remediation costs.

New software-based training programs easily integrate into dealers’ existing security product and service portfolios to meet this growing demand for more effective training solutions. Integrators, consultants and resellers alike are taking advantage of this trend to drive incremental revenues, increase customer penetration and complement security infrastructure sales.

5 Key Security Training Program Success Factors

Here are some key user education program tactics that our customers use to successfully make people aware of security risks and motivate them to change their behaviors.

Prioritize and focus. Successful security training is a process, not a onetime event. Security training solutions that include analytics help organizations assess human risk factors across multiple attack vectors including email, mobile devices, social networking and passwords. This allows security officers to create a customized training program that addresses the most prevalent or risky employee behaviors first. The best results are achieved by setting realistic goals to modify two or three risky security behaviors at a time. As progress is made, more risks can be addressed with the addition of new training modules.

Make it digestible. Effective security training is about quality, not quantity. Training is better received when it is woven into the daily work routine—using learning science principles to build incremental success using “teachable moments.” In just 10 minutes, interactive software training sessions can measurably reduce employee susceptibility to attacks. With administrative tools that allow security managers to schedule and deploy training modules or mock cyberattacks, security training can be presented in the context that a person will most likely be attacked. When an employee falls for an attack, a quick on-the-spot training session can help him or her better understand the risks and learn how to avoid similar attacks in the future.

Keep them coming back for more. As the mobile app explosion demonstrates, people love games and engaging formats. The best security training solutions use this fact to their advantage. With interactive elements, simulated environments, games featuring memorable characters and engaging scenarios, employees actually look forward to training. This approach allows employees to self-pace learning, practice concepts in multiple contexts and master skills through repetition. Over time, active involvement in the learning process helps employees feel more invested, which ultimately translates to better understanding and lower risk.

Measure the results. Security training platforms collect user data to help training administrators monitor completion of training assignments, assess individual employee performance and measure improvement in terms of peoples’ behaviors and awareness, across the entire organization. Armed with in-depth training intelligence and easy-to-read reports, security officers can track compliance, measure the effectiveness of their security awareness programs and demonstrate positive return on investments.

Continue to adapt. As long as security breaches yield financial or political gains for perpetrators, cyberattacks will continue to proliferate. Security awareness training programs must be designed to address the current spectrum of email, mobile device, social networking and passwordrelated attacks, as well as keep pace with evolving threats. Cloud-based training platforms that feature a wide array of modules and offer new releases in response to shifting cyber attack trends can help security officers create flexible and sustainable security awareness programs.

Long ignored as a strategic ally in the war against cybercrime, employees are ready, willing and able to take up the fight—they just need to understand their mission and be equipped to complete it. While no risk factor can ever be entirely eliminated, companies that implement new interactive approaches to security awareness training are finding that the payout is worth the investment. As employees learn how to identify and report attacks, they become invaluable to both a company’s defensive and offensive security posture. All the metrics prove that security awareness training, when done right, can have a tremendous impact in reducing risk. The human element is truly the final cybersecurity frontier. It’s time to rally the troops.

This article originally appeared in the January 2013 issue of Security Today.


  • Cybersecurity Awareness Month: Top Five Action Items to Elevate Your Data Security Posture Management and Secure Your Data

    October is Cybersecurity Awareness Month, and every year most tips for security hygiene and staying safe have not changed. We’ve seen them all – use strong passwords, deploy multi-factor authentication (MFA), be vigilant to spot phishing attacks, regularly update software and patch your systems. These are great recommended ongoing tips and are as relevant today as they’ve ever been. But times have changed and these best practices can no longer be the bare minimum. Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • ResponderLink


    Shooter Detection Systems (SDS), an company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3