Undervalued and ineffective: Why security training programs still fall short

As a former U.S. Naval officer, Bruce Beam says corporate security training would benefit from adopting the military notion that you fight like you train.

In other words, he says, all employees need to be trained to combat the range of attacks they’ll likely face; all workers should be practiced in how to spot and respond to those threats. That way, when they’re face to face with the real thing, they can fight back just as they learned to do.

“We’ve got to impress on them how really important it is to be prepared,” says Beam, CIO for (ISC)², a nonprofit organization specializing in training and certification for cybersecurity professionals.

A prepared response to threats is the goal of security training programs, but data says organizations are falling short when it comes to getting their workers prepped for battle.

CSO’s 2020 Security Priorities research shows that 36% of security incidents stem from non-malicious user error such as being victim to a phishing scam or unknowingly violating security policy, while 27% of survey respondents say their organization provides inadequate security training for users.

Yet nearly a third—some 29% of survey respondents—say security training and awareness programs take their security teams away from more strategic tasks, an indication that a good number of organizations don’t rank this kind of preparation as part of their overall cybersecurity strategy.

That disconnect between the need for training and its perceived value comes at a particularly troubling time.

Many employees are still working from home due to the pandemic, and many employers are still implementing the stronger security measures needed to adequately protect the enterprise in this new widescale virtual work environment.

At the same time cyberattacks of all kinds are up, with phishing attempts spiking significantly. The FBI’s Cyber Division was getting upwards of 4,000 complaints about cyberattacks daily in the early months of the pandemic—a 400% increase—when everyone from schools to Fortune 50 business shifted to remote; cybersecurity firm MonsterCloud reported seeing an 800% increase in attacks during the spring.

Worse still, experts say cybercriminals are becoming more organized, more sophisticated and more targeted, with the number of spear phishing attacks also on the upswing. Cybersecurity firm Barracuda, for example, saw a 667% increase in spear-fishing attacks in the first month of the pandemic.

Security leaders say the security profession needs to step up awareness training, rid programs of what’s not working, and take more modern, effective approaches if it hopes to do a better job of counteracting the rising tide of threats. Training needs to be a valued, strategic initiative, they say, because much of what’s in place isn’t adequately preparing workers.

The problem with the program

Security awareness training dates back decades; its roots reside in the federal Computer Security Act of 1987, which said the lack of user awareness and security controls constituted significant threats. From that came the idea and the established practice of annual training requirements.

Annual training may have been adequate back in the late 1980s and even into the 1990s, well before most workers used computers and the rise of the internet, says John Eckenrode, director of cybersecurity at the advisory, consulting, and outsourcing services firm Guidehouse. But while the world has moved into the digital age, in many ways training has not.

Some 67% of the 1,873 security and tech leaders polled by ISACA for its 2021 Privacy in Practice report said they provide privacy training annually, while just 14% provide it quarterly. Some 52% also provide it as part of onboarding, and 18% offering training after the occurrence of a significant event. “We still have this annual training mindset, this one-and-done mentality, but we’ve outgrown that,” Eckenrode says.

On a related note, experts say some organizations continue to view training as merely a compliance requirement, an activity to pursue to check the box. They don’t truly value training as an opportunity to educate users on how they could help strengthen the enterprise security posture through understanding and following security controls and adopting best practices. As a result, these organizations generally don’t invest much in developing robust programs that really could make a difference.

But even organizations that do value training as a way to improve enterprise security often find their programs aren’t as strong as they’d like.

“Security awareness training is largely ineffective. These programs are at best minimally successful, and the ROI in terms of impact is pretty soft. Typical exercises run before or after training shows little difference,” says John Rostern, senior vice president of risk management and governance at the consultancy NCC Group.

Multiple security leaders offered a list of reasons why. They blame a lack of engaging content. They fault training content that is often too technical for most workers and lessons that are generic rather than tailored to different groups to address the risks and attacks they’re most likely to face. They also cite poor delivery of information, describing it as “boring.” And they point to lack of resources for improving the training materials as well as the frequency and type of training offered.

“The main reason that cybersecurity training and awareness programs are not effective enough is that these events are one-off and irregular. Information security practices turn out to be disconnected from the real work duties of an employee and are not integrated into the workflow,” says Ekaterina Kilyusheva, head of the Information Security Analytics Research Group at Positive Technologies.

“Very often organizations and their staff members receive theoretical knowledge and no practical skills at all. Theoretical knowledge has to be complemented by exercises that will help consolidate new skills. The materials themselves may be outdated or overlook the real threats relevant to the company. Monotony of training materials and complexity for employees not directly related to IT are two additional aspects that can render training and awareness programs ineffective,” she continues. “In some cases, a company does not have specific goals for training or metrics that help measure the results and understand whether the program is effective and what needs to be changed. There is no practical test of how well employees have mastered the program and how capably they can apply this knowledge in life.”

Research suggests just how ineffective training can be. The 2020 State of Privacy and Security Awareness report from Osterman Research and security training firm MediaPRO surveyed 1,000-plus employees across diverse types of organizations and job roles and found that “many respondents continue to hold persistent misconceptions about malware, phishing, and cloud file-sharing, putting their personal and employers’ data at risk.”

In fact, the study found that more than 60% of employees didn’t know whether their employer had to comply with major privacy regulations such the California Consumer Protection Act (CCPA) or the European Union’s GDPR.

Solutions for success

Of course, there are plenty of CISOs who have worked to make training and awareness key parts of their security strategies—and are having success in getting workers to be a more effective part of enterprise defense.

“Many businesses understand that in today’s environment they’re always connected and they have to protect their brand. They know a hack will be a hit to their brand and their reputation, so they know that they have to put more into security training and helping their people avoid being hacked. This is where they’re putting their energies these days,” says Kelvin Coleman, executive director of the National Cyber Security Alliance.

Coleman says he sees CEOs, boards, and other executives supporting the CISO’s efforts to make training a priority and to commit needed resources to make their programs stronger, more frequent, and ultimately more effective.

Many are doing quite well on these points, Coleman adds.

Ross Young, CISO of Caterpillar Financial Services Corporation and a lecturer with both SANS and Johns Hopkins University, has been advancing his company’s training program, considering how his team could add more engaging and impactful training by adopting gamification and other digital tools to make lessons more memorable and relatable to the scenarios that users will face in real life.

“We’re taking lessons from video games,” he says, adding that vendors now offer entertainment-like training that features escape room experiences and choose-your-own adventures to really bring users along with the lessons.

Young is developing ways to better target training so he can deliver more sophisticated lessons. And he’s analyzing performance to see which workers in which divisions repeatedly make mistakes, and in what ways, so Young and his security team can determine which policies are poorly understood and decide how best to address such issues.

Young says he believes finding new ways to measure the success of training efforts will be key to improving training overall.   “We need more guidance on what we want training to deliver,” he adds.

Others are likewise developing training programs that create a more security-focused mindset among its workforce.

For example, Michael Schenck, a senior cybersecurity consultant with the compliance advisory firm CyZen advocates using short bursts of information, taking 15 minutes to explore a single topic, and distributing these sessions throughout the year. He says these lessons are much easier to absorb than when they’re all packed into a long annual training event.

Schenck also believes in delivering lessons in multiple ways. “Everyone learns differently, so you have to have those broad avenues of delivering that information,” he says, adding that gamification and adaptive learning are often particularly effective in educating many workers.

Meanwhile, Eckenrode says CISOs should create procedures that make it easy for workers to put their lessons into practice. If they teach workers to spot and then report possible phishing attempts, for example, CISOs should have a clear and easy way for users to do just that.

And to really solidify the security lessons, Eckenrode and others stress that CEOs themselves should play a part. Workers who know that the CEO, as well as the board and the entire C-suite, value security training can help lessons sink in.