When Effective Security Awareness Programs Fail

In a misguided attempt to test its employees' cybersecurity vigilance, a company sent out a decoy email to its entire workforce—500 strong—informing them of a purported holiday bonus of $650. However, those who clicked through to claim the bonus were met with a stark reality check; they had unwittingly participated in a phishing simulation and, by providing their personal details, had failed the test. The promised bonus was nonexistent, and instead, they were mandated to complete security awareness training.

Jason Hoenich, an awareness expert and the Vice President of Strategy at Arctic Wolf, criticized the approach, labeling it as insensitive and potentially damaging to the company's morale. "For many, $650 is not a trivial amount. This kind of simulation can lead to serious trust issues," he remarked.

Creating a culture of fear and mistrust through such simulations can have the opposite effect of what security training aims to achieve, which is to foster a safe environment where employees can openly report suspicious activities or mistakes, added Gabriel Friedlander, founder of Wizer, a security awareness training provider.

'Check the Box' Training: A Flawed Approach

Julie Rinehart, who oversees security awareness programs at Biogen, argues that many organizations fall into the trap of compliance-based 'check the box' training, which typically involves routine computer-based training and phishing simulations without much depth. Rinehart advocates for a strategic approach that views security awareness more like a marketing campaign—engaging, relevant, and persuasive, rather than a mere formality.

To achieve this, Rinehart emphasizes the importance of audience analysis, which delves into understanding the target audience's current knowledge, behaviors, and motivations to tailor the training content effectively.

Friedlander points out that viewing employees merely as liabilities to be secured promotes unrealistic expectations and shifts the focus from behavioral change to merely completing training modules, which can undermine the program's effectiveness.

Phishing Simulation Pitfalls

Hoenich cautions against phishing simulations that lack empathy and aim to deceive employees. These can create an adversarial relationship between the workforce and the security team, which is counterproductive to the goal of fostering a culture of awareness and open communication.

Rinehart recounts her own experience with phishing simulations, where the initial approach led to employees feeling targeted. She later shifted the focus from punitive measures to empowering employees to recognize and report suspicious activity, which led to more positive outcomes.

Flexibility and Adaptability Are Key

Tonia Dudley, a seasoned security professional, emphasizes the importance of adaptability in security awareness programs, advising against rigid, year-long plans in an ever-changing threat landscape.

Friedlander concurs, suggesting that security awareness should extend beyond mere prevention of missteps to fostering a security-conscious culture where employees are encouraged to report any anomalies or errors without hesitation.

In sum, the real measure of a successful security awareness program lies not in its completion rates, but in its ability to instill a proactive security culture within the organization—a culture where employees are vigilant, informed, and feel secure in reporting potential threats.