• Report results show that there is a cultural gap between the best practices compliance among users on the ground and the security awareness promoted by CISOs and security executives.
  • The study comes as the market for security awareness training is predicted to grow at a rate of USD 10 billion per year by 2027

One of the biggest cybersecurity threats is human mistakes. Employees need only to enter their login information on a phishing website or click on a malware attachment to allow an attacker access to a network and launch a breach that might result in millions of dollars in losses.

While everyone makes mistakes, some employees are unaware of the security implications associated with high-risk activity.

According to Tessian research, while 99% of IT and security leaders concur that maintaining a strong security culture is important for maintaining a strong security posture, 30% of employees do not believe they personally contribute to the upkeep of their company’s cybersecurity posture. It is also significantly more challenging for security teams to perform investigations and corrective action during a data breach because just 39% of employees feel they are very likely to report a security event.

Overall, these results show a cultural gap between the best practices compliance among users on the ground, who choose a more lax approach to following best practices, and the security awareness promoted by CISOs and security executives.

What is the root of this cultural disparity?

The key factor in explaining the cultural gap between security leaders and employees seems to be how poorly businesses have communicated the significance of upholding security-conscious habits. As noted in a Forrester report, many security professionals have a constrained understanding of how to shape employee behavior and create a culture of security awareness. They have “reverted to characterizing their content and quizzes as tools to assess employee engagement and behavior.”

Many of these groups provide users with uninteresting training opportunities. Tessian’s study, which indicated that only 28% of UK and US workers think security awareness training is engaging and that only 36% report paying full attention, emphasizes this.

“Employees focus on what they perceive their role to be. If leadership treats security as separate from everyday work, if security is only spoken about during annual training time, people will do what matches with their perception of their job,” said the head of trust and compliance at Tessian, Kim Burton.

Training on security awareness must be continually reinforced in a manner that is both engaging for students and clear about its goals. In actuality, this entails tailor-made training sessions that give employees knowledge in a way that suits their learning preferences.

“It’s been proven time and again that “one-size fits all” security awareness training is not effective or engaging. Smarter, more entertaining, and tailored training can encourage employees to play a more active role in maintaining the organization’s security posture of the organization,” Burton said.

A quick examination of the security awareness training industry

The study predicts the market for security awareness training to grow at a rate of USD 10 billion per year by 2027. A notable player in the market is the developer of a platform for security awareness training programs, KnowBe4, which has a library of training materials, including modules, films, games, posters, and newsletters.

KnowBe4 supports thirty-four languages, which also purchased SecurityAdvisor last year to add new capabilities for real-time high-risk behavior detection. The company recently disclosed that its annual recurring revenue (ARR) for the previous year was USD 285.4 million.

CybSafe, a company offering security awareness training and phishing simulations to businesses, is another critical competitor. It gathers behavioral event data that security teams can use to analyze and gain insights into user behavior. CybSafe recently revealed that it completed a series B investment round, raising USD 28 million.

CybSafe focuses more on risk quantification, gathering employee behavioral data, and identifying high-risk individuals who may need additional training support, whereas KnowBe4 is more on the security awareness training solutions that allow security teams to create and deploy training campaigns.

How businesses can improve possibilities for security awareness training

According to Burton, some crucial actions firms may take to improve security awareness training. The first step is to eliminate fear-mongering tactics and to reward employees for their awareness by giving them praise rather than discipline. The second is to take into account how stress affects security practices. Employees are more likely to click on a link to a phishing site if they are stressed out and overworked. Encouraging staff to take complete, regular breaks in between virtual meetings or implementing no-video meeting days can decrease high-risk behaviors.

To give users a highly customized experience, businesses can then complement this by customizing security awareness training to take user responsibilities, incentives, and behaviors across departments and demographics into account.

It’s crucial to lay out the broad objectives for the security awareness training that your company develops. To establish objectives for training programs, Gartner advises security leaders to create a list of desired security practices they want users to incorporate into their daily behaviors, which includes all end-users using strong passwords, checking links before clicking them, and employees only transferring sensitive information via secure, approved channels.