8 reasons your cybersecurity training program sucks and how to fix it

Companies are struggling to engage their employees in taking cybersecurity awareness training, having often to make it mandatory for staff to oblige. The ongoing financial constraints affecting all businesses also mean more work on smaller teams that then need to take time to go through very uninspiring training. The solution is to reimagine these programs, focus on more frequent training but of shorter duration, reward employees, avoid naming and shaming, and help them understand this will help them not only in their current employment but also at home and in future jobs.

Here are eight reasons why your current training isn’t effective and what the business should look into to make it more appealing.

1. The way to fix cybersecurity training is to break it

A “better approach” to make training relevant and relatable is to have people act like attackers, mimicking the complex, rapidly evolving world of cyberattacks, particularly when it comes to software security, says Ed Adams, CEO at Security Innovation. He notes that cybersecurity training programs including realistic simulations deliver higher ROI, according to the company’s 2023 study with the Ponemon Institute.

A training program like this might include missions, challenges — such as broken access control and capture the flag techniques — competitions, and leaderboards with supplemental labs and courses to assess competency and maximize learning and collaboration. “Being able to see the implication of an attack in the form of stolen data and fraudulent transactions turns vulnerabilities from theoretical issues to tangible problems,” he tells CSO.

His advice is to tailor training to a person’s role and to their technology platforms. “With a modularized security curriculum, it’s easier to break down security concepts into interchangeable core components for specific roles. And within that approach, training must be engaging and contextual to ensure mastery, while keeping up with the latest threats faced by security teams,” he says.

Training programs also need to be regular and continually updated with the latest threat intelligence. “Nothing tells people you don’t take training seriously more than delivering outdated content once a year,” says Adams. And while you can’t force people to absorb knowledge they don’t want to, mandatory training can also be motivational, but reinforcing the why is critical to build a security focused culture.

Self-paced learning is also important for scaling knowledge and flexibility, incorporating intimate live environments builds teamwork. “This is why instructor-led, even if remote, and group awareness events are effective. Options for train-the-trainer or apprenticeship programs are critical to organizational maturity and buy-in. Being trained by ‘one of your own’ brings a fresh perspective and increases willingness to listen and learn.”

2. Make the training impactful and accreditation transferable

What CISOs may be missing is expanding beyond the check-a-box compliance-focused approach to cyber hygiene training, according to Stephen Boyce, adjunct professor at Marymount University and founder of the Cyber Doctor.

To mature an organization’s security culture, more budget and human resources are needed. “And in addition to technical talent, organizations should bolster their workforce with talent from non-traditional backgrounds, such as human factors, psychology, and safety professionals,” Boyce tells CSO.

Every organization has a security culture, or lack thereof, and over time, with dedicated resources, this should mature, as should its cyber hygiene program. “How impactful an organization’s cyber hygiene program is depends on the organization’s security culture and whether it uses multiple delivery methods that incorporate employees’ varying learning styles,” he says.

“Using various delivery methods, some organizations have tailored their training programs to the individual’s risk profile instead of their job title or department, and this requires an individual baseline of their workforce to understand the risk profile of each employee. Then follow this with continuous assessments to understand their strengths and weaknesses against current threats to deliver meaningful training relevant to the employee,” he says.

But Boyce believes this approach will need to change in the future. “Security training and education programs today have been designed by digital immigrants for digital immigrants; however, as the workforce demographics continue to shift and digital natives come to dominate the workforce, organizations will find the way they’ve always done it isn’t as effective anymore.”

“Some training programs are offering digital badges that can be transferred from one employer to another, enabling organizations to baseline future employees before their start date, and linking training programs into HR systems,” he says.

3. The industry needs a different way to measure human risk

“Why it sucks? It’s too long, it’s too technical and security admins are relying way too much on phishing simulations,” says Ragnar Sigurdsson, co-founder and head of research and development at AwareGO. He believes cyber training should be enjoyable but also bite-sized; keeping training videos no longer than two minutes, using actors instead of cartoons, and employing the tricks of the advertising trade with a dash of humor to get messages about threats across in a way that’s faster and engaging. “People lose interest fast, and if they feel that their time is being wasted, they will start to resent training and won’t participate,” says Sigurdsson.

“For decades, companies have been relying on phishing simulations to tell them where their company stands in regard to cybersecurity. These tests do give you some idea of your risk posture but only in one area (did they click or not) and even then, the information isn’t really that good. They don’t show if people ignored the email, if they forwarded it, how they decided if it was safe or unsafe and so on. This is all very important information and something that security admins should want to know so that they can remedy the real issue,” he says.

Phishing simulations have also been known to affect employees in a negative way as they set people up to fail if they use the real organization’s domain, which makes the phishing email nearly impossible to spot. “This has resulted in malicious compliance on behalf of employees, claiming every company email to be phishing and not answering emails or meeting requests,” Sigurdsson says.

“We need a different way to measure human risk. Not a standardized questionnaire or a phishing simulation, but independent and interactive assessment scenarios for multiple threat areas, each revealing different levels of knowledge and behavior.” Sigurdsson prefers to start with a human risk assessment that is then used to establish a training plan with relevant topics.

Incorporating rewards and gamification helps with motivation and a bit of healthy competition. It is also best to provide employees with scores and information regarding their right and wrong answers, instead of just ‘Fail’. “And offering rewards for the highest score and create a leaderboard within locations or departments,” Sigurdsson adds.

He thinks there’s also a need to ‘market’ the cybersecurity training program internally to help with buy-in. “Badly advertised security programs seldom gain flight. There needs to be an approachable person behind the initiative; department heads and middle management need to be fully onboard and supportive to gain some traction,” he says. Good results should be commended and given a shout out, while poor results must be remedied through training without blame or shame. “And the security program can’t be a directive from the top, instead presented as the mutual responsibility of all, from the CEO to the janitor,” he says.

4. Gamification and learning through practice

Gamification works particularly well in security, where participants enjoy demonstrating knowledge and skill, according to Corey Hynes, executive chairman and co-founder of Skillable. Security games, such as attack/defend, capture the flag, and red vs. blue, consistently achieve higher participation engagement rates, producing better learning outcomes and skill acquisition. When done individually, leaderboards are a great tool to motivate learning, according to Hynes.

“Gamification does not need to be complicated to be effective when incorporated into a training program. Elaborate scorecards or complex automation and scoring may be unnecessary. However, putting people in peer groups supervised by an instructor or facilitator who can manage interactions and promote healthy competition can be incredibly effective,” Hynes says. He believes too many programs rely on ‘learning by viewing’ and don’t place enough value on ‘learning by doing’.

And in the future, as attacks become more sophisticated and frequent, often aided by the advancements in generative AI, Hynes believes organizations must prepare people to respond quickly and correctly the first time. “You will need more than reading or watching videos to prepare for that reality.”

5. Banish the one-size-fits-all approach

It’s vital to personalize lessons to meet the learner where they are, according to Shaun McAlmont, CEO of NINJIO cybersecurity awareness training. “To do so, companies need a training program that allows them to tailor lessons to individual or team needs, addressing the realities of their roles or personal vulnerabilities,” McAlmont tells CSO.

He sees several common features of many cybersecurity awareness programs that are misguided because they check a box for compliance purposes, but don’t consider how people learn and how to get them to change their behavior. “People won’t learn and change behavior if they tune out from the start, so we need to present the information with a mind to three things: timing, relevance, and personalization.”

As cybersecurity is a complex topic with a lot of technical detail, giving someone a lecture once a year does not lead to safer organization because people won’t retain the information well and they won’t change what they’re doing. Instead, regular monthly training is likely to keep the need for cybersecurity awareness top of mind,” McAlmont says.

Repeated academic studies have found the optimal lecture length to be 15 minutes, McAlmont says, so why try to convey super-important information in long form workforce training? “Instead, break up the training into shorter, digestible pieces and spread them out across that regular monthly cadence. Doing so avoids learner burnout and reduces the likelihood they’ll forget everything by lunch.”

To keep training relevant, learners need to be shown how a technical topic like cybersecurity fits into their lives. “That means building a relatable story that would make someone think: ‘this could really happen to me’, or they need to be able to connect the topics in the training to real-life events,” McAlmont says.

When someone makes a mistake, either by falling for a simulated phishing message from the IT department or a real attack, too many programs rely on punitive approaches, like enrolling that person in ‘remedial training’ or giving them a negative score. “Instead, stay positive and non-judgmental. People are more likely to engage with and contribute positively to cybersecurity awareness training if it does not carry a negative connotation or invoke feelings of fear,” he says.

The methodology is built around how people learn to change their behavior, which is a far better goal than checking the box for a compliance program. “Using animation-style, story-driven episodic content has proven to be some of the most engaging produced by the industry. And combining that entertaining approach with personalized delivery is completely new,” McAlmont says.

6. Cyber education needs to be a TREAT

We underestimate the power of storytelling when it comes to education and this means instead of using hypothetical scenarios in training modules, it’s more effective to share real-world breaches, scams, or phishing. “Learning from actual cyber war stories can teach many lessons from just one actual cyber incident,” SEI Sphere director of cybersecurity Mike Lefebvre tells CSO.

“Employees need to care about cybersecurity training for behavior to change. If cyber training is positioned as a life skill that can help protect employees at work and at home, it’s possible to improve training engagement,” he says.

And it needs to be timely, relevant, engaging, accessible, and terse, that is, TREAT. “So instead of using a complex, formal training module, we could introduce micro-lessons in near real time to end-users as they’re clicking a bad link or downloading that bad email attachment,” he says. “Until cybersecurity becomes as seamless as a seatbelt or airbag, we have a lot of work to do.”

And with AI, it’s not clear yet what exactly this means for cyber education and training, but its huge uptake may rewrite some of the rules about learning. Instead of the ‘garbage in, garbage out’ maxim that’s defined computer science to date, it may be more a case of ‘garbage in, recycled information out’. “AI breakthroughs suggest that it’s possible to make some intelligence out of seemingly bad data,” he says.

In the future, Lefebvre thinks education and training programs will need to be significantly reinvented to capture a generation that’s about to grow up with AI. “AI has the potential to fundamentally reframe how we as humans process and retrieve information,” he says.

7. Give employees real-time feedback with risky and non-risky actions

Traditional training of watching computer-based videos is not working, according to Kevin Paige, CISO and VP of product strategy at Uptycs. “Watching a video on a topic you don’t understand, expecting someone to remember the content and apply it in the real world is not how people learn.”

A better approach is to plug into the systems out there collecting individual security and risk telemetry and use this data to give employees real-time feedback, with risky and non-risky actions individuals have taken daily. “Just like training a dog with positive and negative reinforcements, we can train humans based on real-time actions/information,” Paige says.

Paige believes training should show what happens first hand when an employee clicks on a phishing email, types a password in an internet browser, opens shared files, or downloads a virus from an unsafe website. “When employees don’t download software from unapproved sources they should get positive feedback. If organizations can bundle this feedback and give employees a risk score, it will allow them to assess the overall risk posture of their company.”

8. Make cybersecurity part of the business conversation, but keep it relevant

Cybersecurity awareness and training can’t just be a one-off event. Instead, it needs to be a regular, ongoing conversation about threats and the changing nature of the risk landscape.

To help keep potential risks at the forefront of people’s minds, Rapid7 has developed their own weekly organization-wide security bulletin, covering both internal and external risks and threats. Like a weekly risk report, there’s a version for senior leadership and another that goes to the rest of the organization. The aim is to cover the serious subject matter but in a way that’s short and punchy.

“It’s a maximum of five items because I’m not trying to overload anyone. I’m just trying to level everyone up to start thinking more and more specifically about cybersecurity issues that would impact our organization,” Rapid7 CSO Jaya Baloo tells CSO.

“The leadership one features five internal items that we believe are genuine risks to the business, and they’re given to senior vice presidents and execs, as either action required or for information only,” she says. “And the five external items are the things that are happening in the rest of the world, whether it’s geopolitical events, competitors or regional things, that we can learn from, and that goes to the entire company.”

Baloo also believes in Google’s blameless post-mortem philosophy, an approach followed by the company. “We’re not trying to get anyone dinged on this, we just want it fixed.”

More on security awareness training:

• Security awareness training: Topics, best practices, costs, free options
• 7 elements of a successful security awareness program
• 4 steps to launch a security awareness training program
• Why security awareness training is failing
• 7 things to look for in a security awareness training provider
• 5 tips for globalizing security awareness training