Why Security Awareness Training & Education (SATE) isn’t working!
- Binge Training is simply outdated and can’t address modern threats
- Once a year training that takes 45-60 minutes is ineffective for the following reason:
- Users have a very short attention span and much of the training is lost on deaf ears.
- Users have a tendency to relapse after learning and need constant reminders
- Users don’t have proper motivation to change their behavior
- Threats evolve daily, not yearly or quarterly or monthly
- Organizations and training platforms don’t have proper insight into user risk.
- Missing human IDS/IPS
- Current metrics are isolated to specific tests
- Missing quantifiable metrics for phishing test difficulty
- Many valuable employee-specific metrics are being overlooked
- User retention
- Propensity to learn
- User engagement
- User risk
- Programs don’t adapt to the needs of individual users
- Users are unique and each one has their own learning needs.
- Users reject patronizing content
- Some users prefer direct to the point content
- Technology can only drive user risk numbers to a certain low and human intervention is required to drive numbers lower.
- Users need to feel like they are either part of the solution or part of the problem.
- Some employees only become receptive and participative AFTER a human being has talked to them.
- Some employees are anxious, making fairly simple matters seem far more complex and daunting.
- A human being can increase the comfort zone of such people, making them more apt to learn, change, and retain what they need.
MISSING Just-in-Time Education
- Programs that don’t capitalize on “Just in Time” education opportunities are missing a valuable time to education while the user is highly receptive. (At the moment a mistake is realized)
- Boring or dry content causes the user to quickly lose interest
- Lengthy content causes the user to lose interest
- Impersonal content causes users to not engage
- Programs that don’t conduct high frequency phishing attack emulations tend to have higher user relapse percentages.
- Programs that don’t conduct high frequency spear phishing attack emulations leave their users succeptible to targeted attacks
- You can’t make a horse drink water if it doesn’t want to
- Social engineering attacks manipulate employee emotions to get what they want, SATE programs are not doing likewise to get employees motivated
- Phish landing pages with emotional stimuli
- Scareware with emotional stimuli
Are not Creating & Sustaining Vigilance
- Even InfoSec staff get complacent when reading emails
- Test phish are NOT just for educating but also for conditioning
- Vigilance is NOT just about employees being wary
- Employees ought to be an employer’s “Neighborhood Watch”
- Each employee ought to be reporting phish, not just avoiding clicks
- SATE programs are not measuring employee failure to report
Scroll to top