Beyond Security Awareness Training: Building a Culture of Security

Your employees have taken security awareness training, you’ve tested them with phishing simulations, and you’ve warned them about the latest social engineering schemes. Have you done enough to shore up your human defenses against outsider attempts to gain sensitive information?

Despite years of security awareness efforts and increased training, social engineering remains a top attack vector in breaches. According to the Verizon 2024 Data Breach Investigations Report (DBIR), 68% of breaches involved a non-malicious human element – incidents in which people fell for social engineering attacks or made insider errors. This percentage remained consistent with the prior year’s, suggesting security awareness training failed to make an impact. 

If traditional security awareness training platforms aren’t working, why is their effect limited and can they be improved?

In Gartner’s Top Cybersecurity Trends for 2024, the research and consulting firm cites the need for Security Behavior and Culture Programs (SBCBs) that go beyond basic awareness training metrics. Such programs provide contextual data and targeted engagement to foster employee behavioral change and reduce cybersecurity risks.

Why Traditional Security Awareness Training Falls Short

Why isn’t traditional security awareness training making bigger strides in reducing cybersecurity incidents associated with employee behavior? Top reasons include:

Lack of contextual data. A traditional security awareness training platform tends to provide data without the context needed to be actionable. For example, a training question like the following aims to measure changed behavior but lacks the needed context: “Did anything from this video/quiz change the way you look at security?” If that training was a review, then the employee is stuck honestly answering no, providing negative sentiment or falsely answering. Neither of which provides an actual snapshot of the true awareness of the employee. 

Limited measurements. Standard security awareness training platforms typically measure three key performance indicators: module completion, knowledge checks, and phishing simulation click rates. Jason Marocchi, Cybersecurity Engineer at Sayers, says:

“Those metrics are a good start since you have to start somewhere. Based on those three points, you can try to identify who your most risky users are. But without that additional context, are you truly getting the right answer?”

Just checking the box. Some organizations invest time and resources to deploy security awareness training primarily as a box to check for compliance. They’re focused more on compliance than changing behavior to reduce social engineering breaches.

According to the Verizon 2024 DBIR:

“Social engineering is extremely common and remarkably effective because it targets individuals versus systems. It’s much easier to harden a system than it is to harden an individual.”

What Is A Security Behavior And Culture Program?

With ongoing security awareness efforts, your organization’s phishing simulation scores might improve. But where are the valuable returns in organizational security posture? That’s where SBCP comes in. Marocchi says:

“SBCP takes what security awareness training was meant to do, builds on the simulation pieces and training, and adds the needed context.”

SBCP goes beyond the traditional objectives of security awareness training, which Gartner describes as:

• Achieve baseline compliance by satisfying minimum audit and compliance requirements
• Teach desired behaviors by educating employees on cybersecurity basics and recommended processes (such as how to report a potentially malicious email).

Building on those foundational objectives, SBCP aims to change the behavior and culture by maximizing employee behavior to manage cyber risk. Marocchi says:

“We want to lower the direct correlation between social engineering and data breaches to finally move the needle with something that’s usable outside of just training simulations. Adding the missing context is where security awareness is moving, so we can better answer who our riskiest users are and actually change their behavior.”

SBCP includes targeted training that identifies your riskiest users as well as which business units are your prime targets of social engineering. Such tailored training reflects the actual attack surface used in real-world security incidents, improving on the company wide generic phishing simulation. 

A Security Behavior and Culture Program can make the most of your existing security awareness training platform by combining data from multiple sources in your current security stack for better context and actionable data. 

By using custom templates and targeted training for specific business units, departments, or individuals, you can shore up your organization’s defenses where they’re most needed.

Security Awareness Training: Which Features To Choose

When selecting your security awareness platform as part of a broader Security Behavior and Culture Program, consider these best-of-breed features including:

• A large content library for tailored training specific to departments or roles
• Advanced phishing analysis based on real-world scenarios
• Callback phishing campaigns in which a seemingly legitimate email prompts the recipient to call a phone number in a social engineering simulation
• Quick training bursts, such as an AI security awareness coach that can send chat messages with short, interactive quizzes and feedback
• Integration capabilities with email security solutions to analyze user-reported messages and turn them into safe phishing simulations.

Questions? Contact us at Sayers today to discover extensive technology solutions, services, and expertise to cover all areas of your business.