Why Security Awareness Training & Education (SATE) isn’t working!
BINGE TRAINING
Binge Training is simply outdated and can’t address modern threats
Once a year training that takes 45-60 minutes is ineffective for the following reason:
Users have a very short attention span and much of the training is lost on deaf ears.
Users have a tendency to relapse after learning and need constant reminders
Users don’t have proper motivation to change their behavior
Threats evolve daily, not yearly or quarterly or monthly
POOR METRICS
Organizations and training platforms don’t have proper insight into user risk.
Missing human IDS/IPS
Current metrics are isolated to specific tests
Missing quantifiable metrics for phishing test difficulty
Many valuable employee-specific metrics are being overlooked
User retention
Propensity to learn
User engagement
User risk
ONE SIZE FITS ALL
Programs don’t adapt to the needs of individual users
Users are unique and each one has their own learning needs.
Users reject patronizing content
Some users prefer direct to the point content
NO HUMAN INTERVENTION
Technology can only drive user risk numbers to a certain low and human intervention is required to drive numbers lower.
Users need to feel like they are either part of the solution or part of the problem.
Some employees only become receptive and participative AFTER a human being has talked to them.
Some employees are anxious, making fairly simple matters seem far more complex and daunting.
A human being can increase the comfort zone of such people, making them more apt to learn, change, and retain what they need.
MISSING Just-in-Time Education
Programs that don’t capitalize on “Just in Time” education opportunities are missing a valuable time to education while the user is highly receptive. (At the moment a mistake is realized)
BORING CONTENT
Boring or dry content causes the user to quickly lose interest
Lengthy content causes the user to lose interest
Impersonal content causes users to not engage
NOT ENOUGH PHISHING
Programs that don’t conduct high frequency phishing attack emulations tend to have higher user relapse percentages.
Programs that don’t conduct high frequency spear phishing attack emulations leave their users succeptible to targeted attacks
Not Motivating Employees
You can’t make a horse drink water if it doesn’t want to
Social engineering attacks manipulate employee emotions to get what they want, SATE programs are not doing likewise to get employees motivated
Phish landing pages with emotional stimuli
Scareware with emotional stimuli
Are not Creating & Sustaining Vigilance
Even InfoSec staff get complacent when reading emails
Test phish are NOT just for educating but also for conditioning
Vigilance is NOT just about employees being wary
Employees ought to be an employer’s “Neighborhood Watch”
Each employee ought to be reporting phish, not just avoiding clicks
SATE programs are not measuring employee failure to report
