Perry Carpenter, Chief Evangelist for KnowBe4 Inc., highlights the importance of security awareness training (SAT) in mitigating human error that leads to cyberattacks and data breaches. Despite the increasing adoption of SAT by organizations, many training initiatives are failing to effectively address issues such as phishing emails. Carpenter identifies nine possible reasons why training programs are not working as expected.
The first reason cited is the focus on awareness rather than behavior. Carpenter emphasizes the need to target employee behavior and bad habits to ensure the success of security training programs. Another key reason for the failure of SAT programs is the lack of a metrics-based approach. Organizations must measure the overall state of security awareness among employees and their current behaviors to understand the strategies required to target desired behaviors.
Furthermore, Carpenter emphasizes the importance of having a clear communication plan to execute culture or behavior change programs successfully. Organizations should also uncover the root causes of employee resistance to training programs and incorporate feedback from the audience to increase engagement levels. Leadership involvement is essential for the success of SAT programs, as it signals the importance of cybersecurity policies and training initiatives.
Personalizing the training program to cater to the different skills, personalities, and security maturity levels of employees is crucial. Carpenter suggests using simulated phishing tools to test employees’ ability to detect and block real-world threats, as traditional classroom training methods are no longer effective. Additionally, organizations should adopt an educational approach rather than a punitive one when training employees on cybersecurity.
In conclusion, organizations must move beyond ordinary training methods and focus on understanding the skills, behaviors, and expectations of their audience to succeed with security awareness training. By delivering impactful and engaging training programs, organizations can mitigate human risk, defend against cyberattacks, and reduce the likelihood of data breaches. The insights provided by Carpenter serve as a valuable guide for organizations looking to enhance their security awareness training initiatives.
