The most effective cybersecurity awareness training is personalized

By Matt Lindley, COO and CISO at NINJIO

As cyberattacks become increasingly frequent and destructive, cybersecurity education is no longer optional. When companies suffer a data breach, they’re liable to lose millions of dollars and the trust of their customers overnight. Cyberattacks are especially crippling with so many companies in the middle of sweeping digital transformations, which open up a vast array of new attack vectors and leave companies scrambling to diagnose and respond to breaches long after they have taken place.

Companies need to be capable of identifying vulnerabilities quickly and taking proactive measures to address them. This begins with the development of an effective cybersecurity awareness training (CSAT) program, as human error and negligence constitute the most urgent threats to the integrity of your networks and systems. The most common mistake companies make in the development of their CSAT programs is the failure to recognize that there’s no one-size-fits-all approach to cybersecurity training. Employees have different skill levels, personal circumstances, temperaments, and learning styles that all determine how they absorb and later retrieve information – as well as what cyberthreats they’re prepared to handle.

Employees should be fully engaged with what they’re learning, which requires lessons to be immediately applicable to their lives, built around their strengths and weaknesses, and capable of holding their attention. We’ve all been subjected to company-wide training content that makes us feel generic and expendable – content that’s more likely to alienate employees than educate them. Let’s examine a few of the ways companies can avoid this outcome by providing personalized CSAT training that actually works.

Personalized and evidence-based cybersecurity training

Too many companies emphasize inputs instead of outputs when they implement a CSAT program. Inputs include the number of employees who took a training course or the open rate for an instructional email, while outputs would be employee performance on phishing tests, real-world incident reports, and other tangible evidence that training is working. The final goal of any successful training program is long-term behavioral change, and companies have to honestly assess whether they’re making progress toward that goal.

One way to build a more effective CSAT program is to focus on personalization. A 2022 study on improving cybersecurity training suggests the application of personalized learning theory to account for “differences in learning styles, cognitive abilities and metacognition of individuals” and offer “tailored solutions optimized for each group of employees.” The researchers cite an earlier study which demonstrated that students who received personalized learning made “greater progress over the course of two school years.”

Personalized learning won’t just help employees acquire and retain information – it will also give CISOs and other company leaders a more in-depth understanding of their cybersecurity assets and vulnerabilities. This can include everything from which specific cyberattacks will likely be most effective to which employee traits (such as curiosity or anxiety) pose the most significant security risks. When companies evaluate their cybersecurity performance on an individual basis, they’ll be able to identify which employees are doing well, which ones are struggling, and how to allocate resources accordingly.

Evidence-based CSAT is vital at a time when companies are increasing their investments in cybersecurity and simultaneously trying to maintain healthy balance sheets.

Maximizing individual employee engagement

Your workforce is composed of busy professionals who are constantly trying to balance the demands of their jobs with a sprawling range of other responsibilities. If your CSAT program fails to capture employees’ attention, you can be certain that plenty of other distractions are there to fill the vacuum.

Each time employees interact with a piece of training content, there’s a narrow window to engage them, provide the information they need, and ultimately facilitate the adoption of healthy cybersecurity behaviors. This is why it’s crucial to ensure that content is entertaining, concise, and directly relevant to the employee in question. For example, let’s say an employee is about to start a project with several colleagues that will require significant time on Slack or some other cloud-based collaboration platform. Your training content could cover a real-world breach that used Slack as the primary attack vector, such as a recent hack that took place at Uber.

Personalized training can also focus on employees’ specific roles and areas where their skills need reinforcement. This can open opportunities for dialogue and show employees that their opinions matter while giving CISOs and company leaders insight into the state of the company’s cyber-preparedness.

Giving employees powerful incentives to learn

Companies have long approached workplace education as a reluctant necessity, from mundane onboarding videos that haven’t been updated in a few years (or decades) to workplace conduct training that exists to limit the company’s legal liability rather than genuinely improve its culture or teach employees. None of this educational content leads to sustainable behavioral change because it isn’t designed to do so – it was merely created to check a box marked “training.”

This status quo is a huge missed opportunity. A recent LinkedIn report found that the top driver of a great work culture is the availability of “opportunities to learn and grow,” while employees report that one of their main motivations to learn is training content which is “personalized specifically for my interests and career goals.” Similarly, Gallup’s State of the Global Workplace Report found that companies which provide learning opportunities and encourage employees’ personal development will improve the level of engagement among their workforces. These findings have clear behavioral implications: when employees feel like they have good reasons to learn, they’ll find it easier to pay attention, retain critical information, and put it into practice.

There’s a widespread misperception among employees that cybersecurity is too complicated or technical for them to grasp, but nothing could be further from the truth. Over 80 percent of breaches involve a human element, and many of these incidents could be prevented with a personalized cybersecurity education program. When this fact is clear to employees, they will have a compelling reason to learn about the cybersecurity principles and behaviors that will keep the company safe.


No posts to display