Chances are you have spent some of your work hours clicking through your company’s cybersecurity awareness training modules. As you progressed through the training, you may have hoped to get just enough answers right so you could return to your real work. You may even have resented how much time it took from your day and wondered if it made a difference.
Despite the continued use of cybersecurity awareness training programs, it has become clear that the typical approaches simply don’t work as well as they should. Employees often fail to retain the information they are taught. The reason for this may be what 19th-century German psychologist Herman Ebbinhouse called the “Forgetting Curve.” According to Ebbinhouse’s studies, without reinforcement or connection to previous knowledge, most people will forget an average of 56% of what they learned within an hour, 66% after a day, 75% after six days, and 90% within the first month.
Cybersecurity awareness training can also fail because it focuses on the wrong things and uses a one-size-fits-all approach. In addition, the training often has a punitive nature when instead it should seek to create a real culture of security.
“We make people who have better things to do sit through an hour or more of cybersecurity talk that they don’t care about, and they don’t retain the information,” said Jinan Budge, a vice president and principal analyst who leads Forrester’s security and risk research in Asia Pacific. “As a result, they end up hating security.”
A New Approach Emerges
The shortcomings of security awareness training have pushed the industry to pioneer a new category of cybersecurity protection, one that focuses on understanding the human risk within an organization. It aims to analyze the cybersecurity behavior of individual employees, divisions, and geographies, then promptly provide users who deviate from security policies with short, constructive “learning moments.” The goal of the approach is to change cybersecurity behaviors and culture permanently.
Because this is a relatively nascent area, vendors and analysts are calling it different things. KnowBe4 calls it human detection and response (HDR), while Living Security calls it human risk management (HRM). Forrester, meanwhile, calls it human risk quantification (HRQ).
The underlying idea behind the new approach is to provide a gentle yet persistent way of reinforcing good cyber hygiene, said James McQuiggan, a security awareness advocate at KnowBe4.
“Rather than hitting employees with so much training, this is a way to provide small, friendly reminders whenever something happens that triggers [an intervention],” McQuiggan said.
KnowBe4’s HDR offering, Security Coach, is based on its recent acquisition of SecurityAdvisor. Security Coach pushes micro-learning modules to users based on parameters set by the customer organization. The offering integrates with KnowBe4’s existing security awareness training platform.
Living Security, another enterprising vendor in this space, provides Unify Insights. Its HRM offering quantifies human risk, engages users, and then measures changes in user behavior. Its human risk index provides risk scores for the organization, user segments, and individuals, and pinpoints specific weaknesses that get immediately addressed through short and targeted training sessions.
There are plenty of examples for how training sessions would be triggered, including these scenarios:
- an employee clicks on a phishing email or shares confidential information with an external source;
- an employee avoids using a specific password manager required by the company;
- a system detects that a user has created a weak password;
- a new hire makes errors while getting accustomed to the tools they need to use;
- a user disables the company VPN because it’s too much of a hassle.
Features of New Cybersecurity Awareness Training Products
So far, only a handful of vendors are at work in this space. In addition to KnowBe4 and Living Security, vendors offering similar products include Elevate Security and CybSafe. While products work somewhat differently, they share many attributes.
Products tend to use a data-based approach that centers on quantifying and measuring security behaviors, for example. In most cases, products integrate with most of or all the security tools an organization uses, from antivirus and firewalls to extended detection and response and endpoint detection.
In addition, user behavior data can be communicated back to the organization’s security operations center, highlighting areas that need work. If a user or group performs an action outside of acceptable cybersecurity behaviors, they will receives a short “coaching moment” – e.g., a 5-minute pop-up video via email, Slack, Teams, or another communication platform.
“Let’s say you plugged in a flash drive that had malware on it and [the malware] was detected,” McQuiggan said. “The person might get an email saying, ‘We wanted to let you know that you inadvertently introduced malware into our environment through a flash drive. Here are some of the dangers that can occur if you don’t know where the flash drive came from or what’s on it.’ ”
This data-based approach can also provide valuable information to security teams. For example, if some learning prompts are triggered more than others, they may point to a persistent issue that the security team must prioritize.
“CSOs and security program owners really just want to see what’s going on so they can assess their human risk index,” Living Security CEO Ashley Rose explained. “With that information, they can better understand what groups or people are the most at risk and most vigilant, and they can prioritize their program focus and determine what actions to take.”
Finally, these offerings take a markedly different approach to measuring training success. With traditional security awareness training, NIST research found that most organizations have measured success by simply the number of trainings completed or if phishing simulation click rates decreased. Other organizations have relied on employee feedback, attendance at security awareness events, and online views of security awareness materials.
These new products measure success with more sophisticated frameworks, such a human risk index.
Doing It Right
Moving toward the new training approach requires buy-in from leadership and the creation of comprehensive security policies. Additionally, it’s critical to focus on positive reinforcement instead of the more negative reinforcement used frequently in traditional cybersecurity training.
“If employees have to train, it might as well be fun and engaging,” Rose said. To that end, Living Security provides access to content such as cybersecurity escape rooms and live-action modules.
Organizations must also create a feedback loop. “Companies hear from employees all the time that they were asked to complete training and it was never mentioned again. They want to know how they performed,” Rose noted. “The company needs to address it with the employee. It reinforces everything and empowers them to take an action, like downloading a password manager or being more cautious with opening email attachments.”
During the next three years, Budge expects this market to explode. She said the market might evolve into “adaptive people protection” – a process that reduces training in favor of automated processes, tools, and policies that protect employees.
“Your role as a human is to be human,” Budge said. “Security should do its job.”
About the authorKaren D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive.