Security Awareness Training: Is it the Content or the Context?
October 24, 2022 | By: Stephen Boals
The amount of content we digest daily is mind-numbing. Think about your morning routine: checking email, reading newsletters, Twitter, LinkedIn, Facebook, etc., etc. Our daily “diet” of data and content exists not only in our personal life but is augmented and deepened by the now ever-present work stream of information. “The average American consumes about 34 gigabytes of data and information each day — an increase of about 350 percent over nearly three decades,” according to a report published by researchers at the University of California, San Diego. Here in 2022, adding our personal and professional lives, estimates go beyond the 100 GB mark. We just don’t have the bandwidth to absorb and retain, to a decent degree, this constant flow.
The Cyber Threat and Content
Mixed in with all that flowing data is sinister content just looking to deceive and trick our users. Users that are already numb from the sheer volume of what they experience daily, and by a level of psychological exhaustion brought on by a constant state of hypervigilance. Hypervigilance being defined as an elevated state of constantly assessing potential threats around you. It is no wonder why the hackers relentlessly target users through social engineering attacks. And it seems every day there is a new breach, and more and more complex and directed approaches to attacking our weakened end users.
Security Awareness Training & The Content Approach
So, how do most organizations approach cyber security awareness? With more content of course. Short content, long content, Hollywood content, unique content, cartoon content, interactive content, special content…adding to the content pile. Of course, a foundational layer of pure content is the first building block to understanding and changing behavior. But content alone can’t prevent or protect your organization from a Day Zero threat. It won’t change the way specific user personalities play into social engineering attacks. If you look at the results of phishing tests and assessments, content is only part of the equation. Industry standard phish-prone rates pre-training are typically in the 30%+ range. Post training, most organizations will cut that in half, and overtime settle in at around 17%. Some, by leveraging a heavily managed program, and highly varied content, achieve sub-10%, but have a set of repeat offenders and recidivism rate over time.
Content can only get you so far. Is a 10-17% acceptable? So, an organization with 10,000 people will have 1,000-1,700 failures in a new phish attack? This is the painful, hidden secret of content focused training that applies a broad, generalized approach to the cyber risk human issue.
Adding Context to Security Awareness Training
In order to obtain a rapid reduction in human cyber risk, a different approach is required. An approach that provides significant gains in a short time period with minimal user time. Context is the key. In the Security Awareness realm, what does that mean? Users need an awareness of their own vulnerabilities, and also an in-the-moment cyber awareness. We have found at cyberconIQ that the first step in driving this context is an assessment of each users own personal Human Risk-Style. Once this is established, curated focused training can be provided based on each user’s own personality traits and specific Style-Aligned® vulnerabilities. And remediation for failures can also be laser focused and tailored to their style as well.
The results of driving context beyond the content?
- Shortened risk reduction timelines for a maximized phish-readiness state
- Successful remediation of your repeat offenders (We call them Clicksters)
- Unseen phish-prone rates in the sub 2% range.
For more about reducing Human Cyber Risk and our patented approach, contact us today.