Research: Boring Security Awareness Training Doesn’t Help Employees
September 2020 by MediaPRO and Osterman Research
In news surprising no one, a new survey of 1,000 U.S. employees has found that boring security awareness training doesn’t make them want to be secure.
“Our research found that users who found training to be ‘very interesting’ were more than 13 times more likely to make fundamental changes in the way they think about security compared to those who found the training to be ‘boring’,” said Michael Osterman, researcher and president of Osterman Research, who conducted the study.
The research supports the claim that employees get far more benefit out of interesting and engaging training, joining facts such as “the sky is blue,” and “water is wet.”
As users receive more security awareness training, their ability to effectively deal with security threats increases, the report found. The “before-and-after” picture displays that users who are properly trained are much more likely to spot phishing attempts, business email compromise, and other cybersecurity threats than are their untrained colleagues.
The study, Security Awareness Training as a Key Element in Changing the Security Culture, surveyed both everyday employees and IT managers and decision makers to gauge opinions on the current state of security training and awareness. The work was co-sponsored by training and awareness firm MediaPRO, who wouldn’t know how to produce boring training if you gave them directions.
Other key takeaways from the report include:
IT, security, and business leaders – while generally wanting to establish a strong cybersecurity culture within their organization – are somehow not conveying that idea effectively to a large proportion of their employees. Security awareness training is perceived to be as important as technology in dealing with security threats and organizations will be devoting more employee time to training over the next year.
Approximately 45 percent of employees surveyed expect to spend 15 minutes or more per month in training by mid-2021; up from 26 percent in 2020.
Senior IT and business management are much more enthusiastic about security awareness training than are non-management employees.
Security and IT leaders, their staff members, and business leaders are largely onboard with the idea that developing a strong cybersecurity culture is important; everyday employees, however, are much less convinced about the importance of doing so, indicating that the goal of developing a robust security culture has not yet been achieved in most organizations.
“Security awareness training doesn’t do anyone any good if they sleep through it. You can deliver the best security advice in the world, but if no one is listening, you might as well be talking to a brick wall” MediaPRO Chief Strategist Lisa Plaggemier said.
“Good security awareness training should get and keep your attention. That’s what it means to be engaging.” Plaggemier continued.
As lots of scary industry research continues to find, cybersecurity technology alone is not enough to keep businesses secure. Bad guys go after employees; plain and simple. Equipping them with the know-how to turn away cyberattacks means engaging security training that speaks their language and tells them what they need to know; no more, no less. The full report can be found here: https://www.mediapro.com/report-sec...