What are the four types of security awareness training, and what can they do?
Your friend Mona is desperate to learn how to play guitar.
So one day she buys a book called The Ultimate Guide to Becoming a Guitar Pro. She spends hours reading it. But when she picks up her guitar, she can’t put any of it into practice.
But she’s determined not to give up. She starts watching video tutorials. She listens to them explain the techniques. She feels like she’s getting there. But something’s still missing.
She joins a local guitar class. Meets likeminded guitar enthusiasts. She asks questions and gets feedback. The theory she’s read about makes more sense now.
The class holds mini gigs so students can practice performing in a safe space. Mona learns how to use her new skills—even under pressure.
Before long, she’s performing complex pieces at crowded concerts. And she’s getting it right every time.
Mona’s story reflects just some of the reasons we go on about how security awareness is dead.
💡 A survey by MediaPro found that 76% of employees lack cybersecurity awareness.
What has this got to do with security awareness training?
The fact is, your organization is full of Monas.
The skill at hand isn’t guitar, but handling cybersecurity risks.
You want her to be a maestro. No, more than that—the organization’s survival depends on it.
So WHY do you keep on giving her the same old dusty book and expecting stellar results?
What should you be giving her instead? What type of training is going to give Mona the skills and attitudes she needs to protect herself and the organization?
And can she do it? Every. Single. Time?
It’s probably a combination of some of the four main types of security awareness training. And we’re about to get into them.
We’ll look at their pros and cons, and we’ll give you tips on how to make a sound choice for your organization.
And then, because we like you, we’ll even throw in some security awareness training FAQs.
Did you know that 95% of cyber attacks are caused by human error? That’s right—according to Cybint, almost all cybersecurity incidents can be traced back to someone within an organization making a mistake.
Whether it’s falling for a phishing email or using a weak password, that means one thing for your organization:
Heaps of stress, a hit to your reputation, and financial damage too.
All of which means it’s clear that human error is a major threat to cybersecurity.
We’ve never said that security awareness training is the be all and end all. Far from it.
But you can’t do without it. So let’s get started.
💡 According to IBM Security, in 2021 the average cost of a data breach was $4.24 million.
Type 1: Classroom-based training
Think “education”, and most of us will still think of this scenario, right?
By classroom-based training, we mean anything that involves bringing people together . . . in (shocker) a classroom. Or, really, any physical space set up for learning.
An educator leads the session, and you and your workmates learn the same things, together, at the same time.
Personalized: Classroom-based training can be personalized and interactive. Trainers can tailor the content to the needs and questions of the participants.
Team-building: Participants work together to learn about cyber threats and how to prevent them. This means sessions benefit team-building and collaboration.
Costly: Classroom-based training can be expensive. This is particularly true for larger organizations or those whose people work from home.
Time-consuming: Classroom-based training can take up bit chunks of time. That’s true both of preparation and delivery. And everyone’s already suuuuuper busy. So they may resent taking time out for training.
Limited scalability: Classroom-based training is not easily scalable. That makes it a less practical option for larger organizations with multiple locations.
💡 On average, it takes 280 days to identify and contain a data breach, according to IBM Security
Type 2: Web-based training
Web-based training, also known as e-learning, is how so much training of all kinds is delivered today.
And it’s also a popular approach to security awareness training that is delivered online.
This is usually through modules, which people can access via a platform.
Convenient: It’s convenient and accessible. That’s because people can do it on their own schedule and at their own pace.
Scalable: Web-based training is easily scalable. That means it’s more practical for larger organizations or where people work across different sites and at different times.
Cost-effective: Web-based training can be a cost-effective approach to security awareness training, with minimal overhead costs compared to classroom-based training.
Limited engagement: If we didn’t know this before Covid-19 lockdown, we sure know it now. When people are getting information through a screen, the temptation to CTRL+T and shop for a new wardrobe mid-session can be immense. It can be hard to keep people’s motivation and concentration levels high.
Limited personalization: It just can’t provide the same personal touch as classroom-based training. People won’t get the benefit of asking questions or getting tailored feedback. And that’s a definite downside.
💡Human error caused 90% of cyber data breaches in 2019, according to a CySafe analysis of data from the UK Information Commissioner’s Office (ICO).
Nine out of 10 of the 2,376 cyber-breaches reported to the ICO that year were caused by mistakes made by end-users. This marked an increase from the previous two years, when respectively, 61% and 87% of cyber-breaches were ascribed to user error.
Oz Alashe, CEO of CybSafe, said: “It’s almost always human error that enables attackers to access encrypted channels and sensitive information. Staff can make a variety of mistakes that put their company’s data or systems at risk, often because they lack the knowledge or motivation to act securely, or simply because they accidentally slip up.”
Type 3: Simulated phishing attacks (and other social engineering attacks)
You’ve probably sent your people some fake phishing emails before.
Your goal? To test their ability to recognize and respond to phishing attempts. And meanwhile, you hope they’ll get a “near miss” reminder in the process.
Realistic: Simulated phishing attacks are more realistic and hands-on than other training types. It allows people to experience first-hand what a phishing attempt looks like. Most importantly it gives them practice on how to respond.
Targeted: Simulated phishing attacks can be targeted to specific departments or people. The result is a more personalized and effective experience. More training bang for your training buck.
Data-driven: It’s a way to get valuable data on behavior and vulnerability to phishing attacks. That means you can zoom in on areas for improvement and adjust someone’s training program.
Potentially stressful: Simulated phishing attacks can be anxiety-inducing for your people. Especially if they don’t know it’s all part of a training exercise.
Time-consuming: Running simulated phishing attacks isn’t a quick one-and-done. And this is doubly true when it comes to analyzing and responding to the data you collect from the exercise.
Limited scope: Simulated phishing attacks are effective in one arena only: measuring and strengthening phishing awareness. But there’s no pretending that they’ll do anything to cover any other types of cyber threat.
Potentially counterproductive: When done wrong, phishing attacks cause more harm than good. If employees think they’re being tricked it can erode trust. People switch off to the security team and report real attacks less.
💡 Organizations with effective security awareness training programs experience a 50% lower risk of a security breach, according to the SANS Institute.
Type 4: Security awareness computer-based training
It looks like we’ve put web-based in twice. But we’ve not lost the plot, no, not just yet.
This is a style that combines web-based training with simulations and interactive modules. The mission is to give people the engagement level of a classroom but with the convenience of web-based training.
Interactive: Security awareness computer-based training provides an interactive and engaging experience for participants. It features fun things like simulations, quizzes, and gamification to give a better learning experience.
Personalized: Security awareness computer-based training can be shaped to the needs and preferences of each person. And a more tailored training experience = a more effective training experience.
Scalable: Security awareness computer-based training is easily scalable, making it a practical option for larger organizations or those with numerous locations, including work from home.
Costly: Security awareness computer-based training can cost more than other types of web-based training. That’s especially true if you opt for highly customized content.
Potential for technical issues: Anything delivered on a device is prone to technical issues or glitches. And that can put a dent in training’s effectiveness.
Limited personal interaction: While security awareness computer-based training can be personalized. But it’s not the same as having an expert in the room, as with classroom-based training.
💡 Only 38% of global organizations claim they are prepared to handle a sophisticated cyber attack, says ISACA.
How about the new security awareness training trends?
As we all know, cybersecurity threats are getting more complex by the day. But, keeping up with the latest trends in security awareness training can help you stay ahead of the curve. Here are some of our top picks.
First up, we’ve got gamification. Who doesn’t love games? By adding game elements like points and badges, training can become more fun and engaging. Plus, it can help people retain important security concepts and behaviors.
Next, we’ve got microlearning. Think bite-sized bits of information delivered as videos, quizzes, or infographics. It’s way easier to fit this into a busy schedule. Plus it helps people to focus on specific topics. And it’s way more interesting than sitting through long, boring lectures.
Virtual reality is another game-changer in security awareness training. With VR, people can practice our responses to real-life scenarios in a safe environment. Plus, it’s super immersive and engaging. It’s like being in a video game, but with real-world consequences.
Personalization is also key. By tailoring training to individual needs and preferences, we can stay engaged and motivated. It’s like giving each person in your organization a personal coach that understands them and knows how to keep them on their toes.
Cybersecurity nudges are messages, notifications, and prompts that help people do security a little better, every time. They’re the complement to your security awareness and training that can help you achieve your security goals.
Last but not least, continuous learning is the way to go. Security awareness training should be an ongoing process, not a one-time thing. Regular updates, refreshers, and reminders keep us up-to-date on the latest threats and best practices.
Incorporating a couple of these emerging approaches could make all the difference in protecting your data and systems from cyber threats. Which will you adopt?
So, how do you choose the right type of security awareness training?
All those pros and cons are important to weigh up. But how do you turn them into the right choice for your organization?
Well, remember Mona?
Mona used a combination of book learning, video tutorials, and in-person instruction to learn the guitar.
Each format brought something different to the table and helped her to progress to pro level.
And just like Mona, people learn best through a mix of training formats. That’s how they can best learn and use security awareness skills.
That’s what it takes for people to become truly equipped to identify and respond to security threats.
The smartest organizations use a combination. Some may even mix all of them in a heady cocktail.
💡 The average cost of a phishing attack is $1.6 million, according to research from Accenture.
But whatever your training goals or organization setup, be sure to factor these into the equation:
Size and structure of your organization: Large organizations may benefit from more scalable approaches like web-based training. Meanwhile, smaller organizations may prefer to opt for classroom-based training.
Budget: Some types of security awareness training, like classroom-based training or security awareness computer-based training, may be more costly than others.
People’s schedules: If your people have busy schedules, web-based training or security awareness computer-based training may be more convenient and accessible.
Training goals: What specific goals do you want to achieve with your security awareness training? The type of training you choose should be the one that best aligns with those goals.
Training frequency: Some types of security awareness training, like simulated phishing attacks, may be better suited for periodic or ongoing training rather than one-time events.
The security behaviors you are influencing: The links between security behaviors and risks are not always clear. It’s hard to know which interventions and training to apply. Knowing how behaviors affect risk changes things.
So, you understand just how valuable the right training program can be for any organization.
So maybe this has piqued your interest in learning more about security awareness training? Or perhaps you want to guarantee that your program is effective for your organization.
Then download our ebook. It’s a comprehensive guide on the latest trends and best practices in security awareness training.
And it’s free, so it’s an easy win to start improving your organization’s cyber security.
Here’s to pumping up the people power in your cybersecurity!