Cybersecurity Training Doesn't Work

As cyber threats and those who carry them out increase and become more sophisticated, organizations must take a different approach to cybersecurity awareness training.

With the global security awareness training market set to exceed $10 billion annually by 2027 and an estimated worldwide cybercrime cost of $10.5 TRILLION (with a "T") annually by 2025, something's gotta give.

As we gear up for Cybersecurity Awareness Month, these statistics seem like a macabre comedy. So much is spent on training, yet so little has come of it. Traditional security awareness training (SAT) clearly doesn't work for companies or employees.

With the recent high-profile attacks like the one MGM Hotels and Casinos, which was the result of either:

A. Poor credentials

B. Third-party vendor negligence

C. Disregarding warnings

D. All of the above

...And the company remains mum on its "cybersecurity issue," what we do know is that the attack was a ransomware attack.

And it was completely avoidable had there been proper training.

Financially motivated hackers ALPHV took credit for the attack, which forced MGM computer systems to shut down, thus disabling hotel room pass cards, booking systems, and machines on the casino gaming floor.

This egregious oversight is costing the hotel and casino chain as much as $8.4 million per day in daily revenue.

OUCH!

With a company that invests millions in robust cybersecurity measures, how did things go so wrong?

Lack of effective security training.

Why cybersecurity doesn't training work

It's boring, inhuman, and inconvenient. Companies believe SAT is a one-size-fits-all approach to cybersecurity, but that is simply not the case.

Phishing isn't ransomware, isn't social engineering, and isn't a DDoS attack.

Cyber attacks and the threat actors who carry them out are not one and the same. They are all unique, complex, and perplexing. They all have different goals, objectives, and motivations.

In addition, networks, systems, access levels, and types of data a company stores and uses pose their unique circumstances and security protocols. Businesses and their boardrooms?don't fully understand the threats they're facing and how to best defend their networks against them. ?

The mind-numbing 30-45 minute SAT videos employees are forced to watch once a year aren't cutting it. There's no such thing as effective check-the-box or one-and-done training, which is really only designed to give regulators, customers, and shareholders the warm and fuzzies that you’re prioritizing security.

You won't get flowers or a phone call in the morning as employees tend to forget all they learned in a single information-packed session.

A New Approach to SAT

One of the most important things organizations must remember regarding cybersecurity awareness training is that the students - employees, third-party vendors, and executives are human.

Humans themselves are complex creatures with their own individual set of goals, challenges, thoughts, feelings, beliefs, and motivations. Everyone learns differently. Companies must be trained on adult learning concepts and apply them to their SAT.

Samantha in HR is not Tim in accounting, who is not Julie in marketing, who is not Matt in shipping/receiving, who is not Amy in the C-suite. They are not cogs in a machine or processes that ship products, process orders, generate invoices, or maintain employee records.

They are messy, imperfect, thinking, feeling, and doing beings.

SAT needs to work for people, not on people

It's about creating a corporate culture around security that incorporates how people learn and apply the information they've learned into their daily work lives.

Content needs to be inspiring and engaging and motivate individual employees to want to bolster the strength of an organization's security posture. It needs to meet them where they are.

Easier said than done, I know. The one-size-fits-all approach with a video on phishing scams is much easier and less costly than a customized one. However, the cost of a breach is far more expensive. And when you consider that the majority of cyber breaches are the result of human error, then you may want to consider opening up the wallet a little further to ensure your employees are properly trained.

Give Employees the "Why," not the "What"

Give employees the why, not just the what. Phishing, for example, is the what. The purpose of the content is the why.

Adult learning is influenced by a complex interplay of psychological factors that differ from those in childhood and adolescence. Understanding the "why" behind learning is a critical aspect of adult education.

Unlike children, adults come to the learning process with a wealth of experiences, motivations, and goals. They are more likely to be self-directed learners who are motivated by the practical relevance of what they are learning.

When adults understand the purpose and relevance of the content, it not only increases their intrinsic motivation but helps them connect new information with their existing knowledge and experiences. This connection promotes deeper understanding, retention, and application of the material.

Moreover, adult learners often juggle multiple responsibilities, making it essential that they see the value in dedicating time and effort to learning.

By providing a clear rationale for learning, educators empower adult learners to take ownership of their education and make meaningful connections between the content and their personal or professional lives, ultimately enhancing the effectiveness of the learning process.

How do you apply all of this?

Start with the R.I.D.E.M. approach.

R: Is the training relevant?

I: Are the students involved in the process?

D: Are students discovering something new? (aha! moment)

E: Do the students experience the subject matter through hands-on exercises?

M: Does the instructor (or manager) model (demonstrate) the desired/expected behavior?

Then apply the following:

1. Customize training: People learn best when feedback is contextual and relevant, so tailor security training to each employee and their role.?
2. Provide real-time feedback: Continuously deliver training via platforms that provide real-time feedback based on an individual employee’s security behavior.
3. Implement training in security tools: Security tools that automatically alert an employee when they may have received a phishing email or are about to send sensitive information to the wrong email address give that employee the opportunity to interact with a real-time threat and learn from that interaction.
4. Use real-life scenarios: Put threats into context with real scenarios and ask each employee how they would handle it.
5. Engage Emotions: Appeal to learners' emotions by highlighting the personal and collective impact of cybersecurity. Convey the sense of responsibility they have to protect themselves and their organizations, as well as the broader online community.
6. Incorporate Gamification: Gamify the learning experience by adding elements like challenges, badges, and rewards. Gamification can make the content more engaging and motivate learners to participate actively.
7. Feedback Loops: Encourage employees to share their thoughts, questions, and experiences. Foster a sense of community where they can interact with instructors and peers. Address their concerns and questions promptly.
8. Multimodal Content: Offer content in various formats, such as videos, infographics, podcasts, and written materials. This accommodates different learning preferences and allows learners to choose the format that suits them best.
9. Celebrate Success: Recognize and celebrate milestones and achievements in cybersecurity awareness. Acknowledge and reward learners for their dedication to learning and practicing good cybersecurity behavior and habits.

There are additional options organizations can incorporate into their SAT, including storytelling, assessments and quizzes, and actionable takeaways employees can immediately apply.

Above all, an effective cybersecurity training program creates a culture of proactive awareness and diligence. Once employees are aware of the common risks and are motivated to prevent them, they change their behaviors and don't see training as a boring requirement that interrupts their daily work routine but rather as an initiative in self-accountability to keep themselves and the organization, as a whole, safe.