How Security Awareness Training Is Evolving

​HR departments were once blissfully divorced from cybersecurity responsibilities—but not anymore. Today, they are increasingly involved in cyber-training programs for employees. Security awareness training, in particular, has risen from obscurity a decade ago and is now a huge industry. According to Cybersecurity Ventures, the security awareness training market is worth $5.6 billion in 2023 and is expected to almost double in value by 2027 to over $10 billion.

The driver of this trend has been the relentless phishing campaigns of cybercriminals. This year's installment of the annual Verizon Data Breach Investigations Report (DBIR) found that 74 percent of data breaches involved a human element, with phishing (a.k.a. social engineering) being one of the most prevalent attack vectors. In addition, 50 percent of all social engineering attacks involve pretexting—researching the intended phishing victim prior to launching an attack (such as reading their social media posts to glean background information on their job, family, lifestyle and habits). Businesses have realized that no matter how much they spend on cybersecurity, their employees and suppliers remain their weakest link. If they keep falling prey to phishing scams via emails, then the bad guys can gain access to the network and launch a ransomware attack.

"Given that it is impossible to prevent all attacks automatically, we need to make humans part of our firewall," said Jamal Bihya, an analyst at technology research firm GigaOM in San Francisco. "Awareness training enables the mitigation of human risk when sitting in front of a computer."

How HR Builds a 'Human Firewall'

In addition to network firewalls and other security safeguards, companies are investing in the creation of a "human firewall" of employees who are educated enough not to fall for phishing scams. As every employee now has a definite cybersecurity duty, it is up to HR to train them. This often takes place during onboarding and in regular, usually quarterly training modules to keep phishing alertness front and center. Such training also covers password policy, breaking bad password habits and other areas of cyber-hygiene.

"The idea behind awareness training is, 'Change everyone's reflexes,' " Bihya said. "If I see an email with a link, my reflex should be to not click on the link."

With human error being the path of least resistance for cybercriminals, the need to bring awareness and education to employees through security awareness training has been given more priority. It has become clear that annual lunch-and-learn trainings are no longer enough.

"While providing people information does have value, changing behavior should be the focus of an awareness program," said Erich Kron, security awareness advocate at cybersecurity training firm KnowBe4. "Education should not be limited to topics that focus on email phishing, but also to overall security hygiene, including how to secure accounts with multifactor authentication (MFA) and how to use tools such as password vaults to create long, secure, and especially unique passwords."

The Evolution of Security Awareness Training

In recent years, security awareness training has evolved to incorporate adult learning principles and elements such as:

• Continuous awareness, training and education on the cyberthreat landscape. Rather than text, most training modules use audio and visual elements with characters acting out scenarios of good and bad behavior.
• An opportunity to apply what has been learned using simulated programs, where fake phishing emails are sent out at random times to people in the organization to see how many are tricked into clicking on malicious attachments and links.
• Assessments and quizzes. At the end of each section of training, the employee answers a few questions to see if they have understood the concepts. Then at the end of the module, they are assessed on their likelihood to follow the principles taught.

Kron recommended that HR departments find ways to automate training assignments and use positive messaging when communicating about such programs. Having leadership reinforce the importance of education and training programs can also improve completion rates and reduce the effort required to ensure people are doing the training. Kron favors the deployment of shorter training sessions more often and with a more targeted and thought-out approach.

"Unlike in the past, different types of training are now being developed to communicate with employees in the form of games, animation, live-action teaching and even season- and episode-formatted shows that look like high-quality television productions," he said.

In addition, AI components are being introduced to tailor content provided to employees, based on their own specific areas of weakness or the latest threat vectors. Another development is point-of-failure training to provide real-time guidance as to why an action taken by an employee could be dangerous. This helps people better understand the threats they face and the purpose of the policies or security controls they may have inadvertently violated, or the reason for the simulated attacks.

"Security awareness has begun to blend into programs related to physical safety and awareness," Kron said. "Just like safety campaigns that have been run for decades to warn people of dangers from machinery, chemicals and other physical threats, digital dangers will also be addressed in the same way with signage and coordinated, highly visible campaigns."

Drew Robb is a freelance writer in Clearwater, Fla., specializing in IT and business.