A new study shows boring cybersecurity awareness training doesn’t persuade employees to be secure.

Osterman Research conducted the study, which was co-sponsored by MediaPro. The firm, which surveyed 1,000 U.S. employees for the study, also polled IT managers and decision makers.

As users get more security awareness training, their ability to effectively deal with security threats increases. Users who get proper training are much more likely to spot phishing attempts, business email compromises and other cybersecurity threats. That is in comparison to their untrained colleagues.

The research supports the claim that employees get far more benefit out of interesting and engaging training.

Just Ask Employees

Lisa Plaggemier is MediaPro’s chief strategy officer. She said employers need to gauge their employees on the effectiveness of their cybersecurity awareness training.

MediaPro’s Lisa Plaggemier

“Some companies do this, but I think others might be afraid of the answers they get in return,” she said. “It might mean that you need a dedicated resource running your training and awareness program, who has a communications or marketing background, instead of a security engineer doing it as part of their job. You can also tie specific metrics to test the effectiveness. For example, does incident reporting increase once you’ve trained people on how to spot and report a potential incident?”

Other Findings

Other key takeaways from the report include:

Employers should buy training that really connects with people and doesn’t talk down to them, Plaggemier said.

“There are so many good options on the market these days,” she said. “There’s no excuse to run boring training. In some organizations, their own culture can get in the way. They resist using humor, for example, because it doesn’t fit with their brand or the security team feels you shouldn’t use humor for such a serious topic. Complex problems need creative solutions.”

MSSPs Can Help

Michael Osterman is researcher and president of Osterman Research.

Osterman Research’s Michael Osterman

“I believe there are more opportunities than challenges for MSSPs and other providers, such as Microsoft that provides security natively within Microsoft 365,” he said.

There are two fundamental drivers for the growth of MSSPs. Technology helps organizations address their security concern. And MSSPs can help with this. Also, the cybersecurity skills shortage is motivating many CISOs to outsource at least some of their security to third parties.

“That said, we see the growth of security awareness training and the growth of technology-focused solutions, including the outsourcing of at least some security functions to MSSPs, to be synergistic,” Osterman said. “Outsourcing relieves some of the burden on already-overworked security staffers so that they can focus on the more onerous threats and attacks that take substantial time to investigate and remediate. And training enables users to detect and avoid many of the threats that will inevitably make their way through even the most robust security defenses.”

The study does point to overall progress being made in terms of cybersecurity awareness training, he said.

“For general phishing emails, there was a nearly six-fold increase in the percentage of users who are capable or very capable at detecting them after training compared to their ability pre-training,” he said. “We also found major gains in user capabilities at recognizing targeted emails and scams in social media after they received training. Plus, it’s important to realize that we were surveying organizations that have various levels of efficacy in their training, and so the most effective training would result in even better numbers than these.”