In broad terms, you could think of security awareness training as making sure that individuals understand and follow certain practices to help ensure the security of an organization. From this perspective, security awareness training has been around practically forever, especially when you consider the need for security in military applications.

Today, security awareness training emphasizes information security, and especially cybersecurity. Rapid advances in information technology — and parallel innovations by cybercriminals — mean that employees and other end users need regular, specific training on how to stay safe online and protect their information and that of their employers.

This article is an introduction to security awareness training: why organizations use it, how it has evolved over the years, and how it helps to reduce the threat of cyberattacks and other security breaches. Finally, we’ll introduce some tools for creating an effective security awareness program.

Why Do Organizations Conduct Security Awareness Training?

Security awareness training has a critical role to play in minimizing the serious cybersecurity threats posed to end users by phishing attacks and social engineering. Key training topics typically include password management, privacy, email/phishing security, web/internet security, and physical and office security.

There’s also a business case to be made for security awareness training, as explored in the Aberdeen Group’s report, Security Awareness Training: Small Investment, Large Reduction in Risk. The researchers conducted a workshop with enterprise security leaders to find out why they invest in security awareness and training. They found that:

  • 91% use security awareness to reduce cybersecurity risk related to user behavior
  • 64% use it to change user behavior
  • 61% use it to address regulatory requirements
  • 55% use it to comply with internal policies

As these statistics suggest, some organizations use security awareness training simply because they must, in order to comply with external or internal requirements. But this training also makes financial sense, according to the report: “an incremental investment in security awareness training results in a median reduction in the annualized risk of phishing attacks of about 50%, and a median annual return on investment of about 5 times.”

The Evolution of Security Awareness Training

While the core concepts of security awareness training aren’t new, it has reached mainstream consciousness relatively recently. One indication of its emergence was the 2004 launch of National Cyber Security Awareness Month. The initiative, by the National Cyber Security Alliance and US Department of Homeland Security, was intended to help people stay safer and more secure online, encouraging such practices as the regular updating of antivirus software.

Since then, the annual awareness month has inspired similar events in other countries, expanded its themes and content, and drawn increased participation across industries and government, as well as universities, nonprofits, and the general public.

The focus, methods, and effectiveness of security awareness training have undergone significant changes over the years. Back in 2004, most programs were driven by the need for compliance — simply meeting regulatory requirements. Today, that focus has shifted to seeing security awareness training as a means to manage and mitigate organizational risk.

Along the way, training methods themselves have matured. In 2004, the dominant paradigm was for annual presentations, either as in-person training sessions or long-form computer-based training. Unfortunately, these lengthy, infrequent sessions do not result in good knowledge retention. A gradual shift toward short, focused training on individual topics represented an improvement, but these trainings were still presented infrequently, which allows knowledge to dissipate over time.

Around 2014, security awareness training began shifting toward continuous education and improvement, in which a program includes ongoing cycles of assessments and training. The latest developments have been “just-in-time” and in-context training, which adds the ability to launch training in response to an end user exhibiting poor cybersecurity behavior, such as unsafe web browsing.

Tools for Training End Users

Today, infosec professionals use a variety of tools to train end users, as can be seen in our 2019 State of the Phish™ Report. The dominant tool — and one that continues to grow in popularity — is computer-based awareness training.

  • 79% use computer-based awareness training
  • 68% use phishing simulation exercises
  • 46% use awareness campaigns (videos and posters)
  • 45% use in-person security awareness training
  • 38% use monthly notifications or newsletters

Well-designed training programs often make use of several of these tools. Equally important is to deploy these tools in a systematic, methodical way that allows you to track and measure progress over time.

Our highly effective training solutions utilize our Continuous Training Methodology, designed with Learning Science Principles to engage the learner and change behavior. The way we employ Learning Science Principles was proven to be effective through research performed at Carnegie Mellon University.