How effective is security awareness training?
If you were to ask a number of IT pros whether or not they think security awareness training is effective at reducing human risk, you'd probably get a mixed response...
“Ours worked a treat, the team has really taken to the training”
“We tried it, but our users kept getting phished anyway”
“It’s early days yet but the signs are good!”
Problem is, these half-baked reviews don't really give your business a clear insight into how effective this type of training can be, what's working well and what the overall return on investment (ROI) is.
So, in this post, we'll guide you through:
- How effective is security awareness training at reducing risk?
- What is the return on investment (ROI)?
- Five ways to make security awareness training work
- How to get started on the right track
How effective is security awareness training?
The effectiveness and ROI for security awareness training can vary based on a number of factors — including format, channels and frequency.
But, if done right, employee training can be a highly successful solution for reducing human error, improving everyday security behaviour and achieving key standards of regulatory compliance.
In a recent study, 80% of organisations said that security awareness training had reduced their staffs’ susceptibility to phishing attacks. That reduction doesn't happen overnight, but it can happen fast — with regular training being shown to reduce risk from 60% to 10% within the first 12 months.
Even the least effective training programs have a seven-fold ROI, and the average performing program results in a 37-fold return on investment.
The graph below gives a visual insight into one study that measured how staff were able to recognise threats before and after training:
As this shows, security awareness training makes staff much more capable of identifying potential cyber threats.
All of this ROI stuff sounds great, but how is it calculated?
With so many different factors playing into the ROI of security awareness training — including company size, location and training costs — it's pretty difficult to produce an accurate prediction of figures that can be relevant to every business.
That being said, Osterman Research has produced one of the most renowned costs and ROI models developed for security awareness training.
Their study showed that, on average, smaller businesses (under 1,000 employees) can achieve an ROI of 69% from a security awareness training program, while larger companies (1,000+ employees) can achieve an ROI of 562%.
The caveat here is that the report has been based on a range of assumptions — which you can check out in more detail here — including costs of operations and the potential loss of customers and revenue, which obviously varies from business to business.
But don't get too lost in the data. The key point is — training does work.
Five ways to make your security awareness training work
To make your employees' training as effective as possible, there are a number of key ingredients that you need to include:
#1 Keep it regular
According to USENIX, employees will start to forget their training after four months, so delivering regular awareness sessions is key for making sure that the information is kept fresh in their minds.
As seen in the report above, many businesses are opting to train staff on a monthly basis to keep information fresh in the mind.
This may sound like a lot, but this type of training is often delivered through bite-sized and computer-based (CBT) courses to avoid learning fatigue and any hindrance to productivity.
#2 Keep it engaging
Rather than broadcasting a checklist of points during a PowerPoint presentation, try to deliver more memorable video and interactive computer-based training courses.
Here's a quick example training video that is taken from usecure's security awareness platform, uLearn:
#3 Cover the essential topics
It's easy to think that training staff on how to spot a phishing attack is enough to reduce human risk, but narrowly focusing on a select few topics leaves the door wide open for human error and successful attacks.
Your employees' ongoing training should cover a wide variety of behavioural tips, attack techniques and compliance standards. Check out usecure's top 12 security awareness training topics.
#4 Launch practical phishing simulations
So you've trained your staff on how to spot a phishing attack? That's great, but how will they react when a fraudulent email from finance actually drops into their inbox, asking them to pay an invoice 'asap'?
By running employee phishing simulations, you're able to detect which employees would fall victim to a real-world attack, giving your business a chance to proactively educate that person on what they missed.
#5 Measure the impact of training
It's important to measure the impact of training so that your business can a) report on whether your approach is working and b) have a birds-eye-view of any potential human risk areas.
Running a quick quiz at the end of each training session is a good way of understanding what each person has learned.
With uLearn, each employee is quizzed straight after their course, with their results being saved and added to their individual profile as well as contributing to the business' overall human risk score.
How to get started on the right track
The bare essentials of any effective security awareness training program come down to training staff frequently, using engaging material, covering the essentials and measuring the ongoing impact.
But finding the time and budget to plan, deliver and manage this type of training can seem like a pretty big drain on resources for IT and the business as a whole.
That's why we've put together a complete guide to security awareness training to help you launch cost-effective and admin-lite security awareness training from day one.
Grab the free guide today: