Cyber security training programs often fall short in reducing the risks associated with cyber attacks, according to a security expert. This is a critical problem given that the majority of attacks target people. What’s more, most business leaders believe their cybersecurity risk level is rising.
Why do training programs fall short? They fail to change behaviour, said Mark Gaudet, Cybersecurity Products Manager at the Canadian Internet Registration Authority (CIRA). “Awareness alone is not enough,” he said. “To get people to care, you must change their perceptions. To change their perceptions, you have to change the narrative. It’s all about advancing a model for building a true culture of security.”
Awareness … or knowledge?
The critical point between success and potential failure, according to Gaudet, is in the difference between simple awareness and true knowledge.
“Policies don’t translate into instructions of what people should be doing to work securely,” he said. “For that, we must move beyond, for example, what phishing is, to why it’s bad and how it works at an emotional level to hijack the brain.” Gaudet said there’s a big difference between looking for typos and strange email addresses and recognizing when your emotions have been triggered.
Measuring the effectiveness of security awareness training
Measuring the effectiveness of cybersecurity training requires more than just monitoring a set of metrics. It’s critical to establish a solid, well-planned strategy at the outset. This strategy will answer basic questions such as what you want to achieve security-wise and how you want to achieve it.
“There are multiple levels or facets to measuring cybersecurity training,” said Gaudet. “Most awareness training tools provide basic metrics on how a program is running, mostly along the lines of training course completion and/or phishing campaign metrics.”
The focus has to be on behavioural change, Gaudet said. The critical next level in cybersecurity measurement involves “people metrics,” extracted from user surveys as indicators of cultural trends and attitudes, and how employees really feel about cybersecurity.
“This is where the rubber really hits the road,” said Gaudet. “This deeper-level intel tells the real story. When you get this sort of information, you can really begin working to change the perception of cyber-threats in your organization.”
Training that brings results
CIRA Cybersecurity Awareness Training was built with the idea that only an engaged user can truly reduce a company’s level of cybersecurity risk.
“Our training seeks to make it easier for people to do the right things rather than the wrong things,” said Gaudet. “We offer IT professionals and the security team a cloud-based platform for not only training people, but also simulating phishing tactics and finally measuring the results.”
Organizations that use CIRA’s training program have found that their employees are, on average, three times less likely to click on phishing emails. The goal is to empower users to be part of the solution and not a risk to be managed, said Gaudet.