VISITING EXPERT. October is dedicated to cybersecurity awareness and is the perfect time to rethink our cybersecurity training and awareness strategies.
As cyber threats evolve, methods must be adapted to raise awareness to protect organizations and individuals effectively. This article reviews current methods, analyzes their effectiveness using some relevant statistics and presents emerging approaches that seem more than necessary on the eve of Halloween in the context of an increasingly frightening digital landscape.
Beginnings motivated by compliance
Current cybersecurity awareness-raising methods have gained popularity over the past decade. Initially, the main incentive for implementing awareness-raising and training programs for cybersecurity personnel was compliance with standards and regulations. Frameworks such as SOC 2, ISO 27001, HIPAA and the GDPR require systematic awareness-raising and training program implementation and execution. These frameworks require organizations to demonstrate their commitment to securing sensitive information. For example, cybersecurity awareness-raising programs were initially seen as a compliance requirement. In their initial phases, these programs were primarily motivated by the need to respond to audits and comply with regulations rather than the goal of proactively improving the organizational security culture.
The most frequent methods of awareness-raising and training
- Online training module:
Training via short modules accessible to employees at their own pace. It is very common, flexible, cost-effective and well-suited to large organizations.
- Phishing and social engineering simulations:
Using simulated phishing attacks to test employees’ response to real threats. We can target the most vulnerable users and offer them more specific training or, in some cases, revoke their access.
- Thematic days:
Thematic days on specific topics, such as data protection or phishing awareness, focussing on a key theme over a period. These can include webinars, interactive activities and discussions to understand risks better. Posters and other visual aids, such as infographics and banners, reinforce security messages by serving as regular reminders of good practices, such as avoiding suspicious emails, avoiding sharing passwords or reporting an attack.
Are these methods yielding concrete results?
Several studies and reports show that while traditional methods of cybersecurity awareness-raising – such as those listed above – are widely used, their effectiveness quickly plateaus. Many users remain vulnerable to cyber threats despite efforts and investments in these training methods. The behavioural changes they cause are often very limited.
According to a report by the SANS Institute, even organizations with well-established security awareness-raising programs continue to view social engineering attacks as a major concern. The report notes that while training is widespread, the human error rate remains high.
A less recent but still relevant ISACA report echoes this view. Despite a strong emphasis on training and raising awareness, organizations struggle to transform the knowledge disseminated into tangible behavioural changes.
In summary, these results indicate that, while traditional training methods are necessary, they are not always sufficient to induce meaningful behavioural changes.
Memory is an aptitude that forgets
Several studies have shown why traditional cybersecurity awareness-raising and training methods reach an effectiveness threshold. These methods tend to reach their limits due to the following factors.
- Lack of user engagement:
When the same training is repeated yearly, employees quickly lose interest and see these sessions as simply a boring formality, a chore. This reduces the positive impact of training as programs become routine and lack novelty to maintain engagement. The ISACA report points out that many programs rely on low-engagement rehearsals that do not provide the commitment to effect lasting behaviour change.
- Rapid forgetfulness of information:
The Ebbinghaus curve is a well-known phenomenon in learning. In the weeks following the training, users forget a significant portion of what they learned, especially if there is no constant reinforcement. Training programs that do not provide regular reminders or new ways of re-engaging employees are rapidly losing effectiveness.
- Poor behavioural monitoring:
It was also noted that traditional programs are not sufficiently focused on ongoing behavioural monitoring. After initial training, there is often no mechanism to assess whether employees have changed their behaviour in response to threats. There is no performance indicator. The indicator is often binary: was the training taken or not? We do not measure whether the behaviour has changed.
- Disconnect with concrete reality:
Purely theoretical or abstract methods, such as online courses or posters, are ineffective in motivating behavioural change among users because they are not based on concrete experiences. Studies show that people learn best when exposed to just-experienced real-life scenarios.
In short, while traditional methods are essential, they plateau because of these limitations, requiring a more interactive and engaging approach to ensure a more sustainable adoption of good cybersecurity practices.
Emerging trends in raising awareness
Although traditional methods of raising cybersecurity awareness play an important role in training employees, they are now reaching their limits. The lack of user engagement, the rapid forgetfulness of information and the absence of behavioural indicators compromise the effectiveness of these methods and, in turn, organizational security.
A more interactive, proactive and contextualized approach is essential to move beyond these limits. An emerging trend is developing programs that aim to induce cybersecurity behaviours.
A modern Security Behavior and Culture Program (SBCP) must offer continuous learning mechanisms and simple and fun tools to help employees manage day-to-day risks and real-time visibility for security teams to monitor high-risk behaviours.
Here are a few things that a good cyber behaviour change program should do.
- Approach based on customization and user context:
The program must adapt to the specific context of each employee, including their role within the organization. Customized and contextual suggestions make learning more relevant, particularly in managing access to sensitive data based on user responsibilities.
- Behavioural monitoring and ongoing performance indicators:
Rather than focusing solely on participation during training, a modern SBCP program must track user behaviours after training. Indicators to measure changes in cybersecurity behaviours are essential.
- Automation of access and risk management:
Access management requires automation, including environments such as Microsoft Teams, SharePoint and OneDrive. By incorporating proactive notifications and simple tools, the program allows employees to easily manage their access while ensuring security teams have a real-time overall view of risky behaviours.
- Continuous reinforcement through reminders and microlearning:
Repetition is key to consolidating learning. An effective program must include regular reminders to ensure that employees do not forget the concepts learned and continue to apply good security practices.
- Engagement and Interaction:
A modern SBCP program must make cybersecurity interactive and engaging through playful formats, quizzes, realistic situations and video game-inspired approaches. This helps maintain employee interest and make learning more enjoyable, thereby promoting sustainable behaviour change.
In conclusion, raising cybersecurity awareness has become increasingly critical in a world where digital threats are pervasive and constantly evolving. We are responsible for providing employees and users with the tools to develop the right reflexes to this scourge. By strengthening their knowledge and vigilance, we help protect the organization while fostering a strong and proactive security culture.