Written by Karen Walsh
Phishing scams and other social engineering attacks work because cybercriminals use people’s digital footprints against them. Threat actors scrape social media and the internet, looking for insights about people. Cybersecurity awareness training programs, however, rarely teach people how to reduce their digital footprint and rarely explain how people’s personal lives make them vulnerable.
While cyber awareness training programs meet compliance requirements, they often fail to educate people about how their digital footprint gives cybercriminals context, ultimately enabling them to craft convincing pretexts and use the personal to attack the professional.
Moreover, cybersecurity awareness training programs rarely address real-world threats. For example, these programs typically include a scenario where a CEO asks an employee to authorize a payment. Most companies, however, have a payment authorization process people need to follow, making this unrealistic.
If employers want to overcome the deficiencies inherent in these cyber awareness training programs, they need to teach employees how to reduce their digital footprint so that they can actively work against cybercriminals. This article looks at how this can be done.
What is cyber awareness training?
Annual employee cyber awareness training usually consists of pre-recorded videos and multiple choice questions used to assess whether people know basic definitions and recognize social engineering scenarios, like phishing, smishing, and whaling. In theory, an organization’s training program should provide the information and practices that users need.
In reality, cybersecurity awareness training doesn’t challenge end-users. Training helps your employees understand the basics, but awareness programs fail to educate people about personal data exposure: what that exposure looks like from an attacker’s perspective, and how to detect sophisticated phishing threats that leverage this data. If you’ve ever taken your own awareness training, you notice that it repeats the same information every year with little variation or update. Even more concerning, training platforms regurgitate the same information, focusing their differentiators on metrics and user experiences.
What is the main objective of security awareness training?
In theory, security awareness training educates users about cybersecurity threats and potential outcomes from data breaches. In practice, most organizations use their training program to comply with a compliance mandate.
For example, nearly every cybersecurity or privacy framework, requirement, or law mentions end-user training. Let’s take a quick look at some of the compliance “heavy hitters”:
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF): Treated as a Protect Function under the Awareness and Training category
- Health Insurance Portability and Accountability Act: Treated as an Administrative Safeguard or Requirement
- Payment Card Industry Data Security Standard (PCI DSS): Requirement 12.6
How effective is cybersecurity awareness training?
Providing some cybersecurity awareness training is, of course, more effective than not providing any. However, when you start looking at the available statistics, the deficiencies of training are apparent:
- 99% of CISOs, security leaders, and IT professionals reported an increase in corporate security
- 14% reported greater vigilance
- 12% reported that they increased their human firewall
- 65% agreed that they needed to expand programs
The data indicates a disconnect between beliefs about corporate security and end-user activities. While 99% of respondents reported an increase in corporate security, less than 15% saw any actionable outcomes arising from end-user behavior changes.
For example, according to the 2022 State of the Phish report:
- 83% of respondents said that their company experienced a successful email-based phishing attack
- 54% of respondents dealt with more than three successful attacks
- 11% of respondents experienced more that ten successful attacks
These statistics around successful email-based phishing attacks contradict the idea that training programs enhance corporate security, but they do reinforce that companies need a solution that changes end-user behaviors.
If training programs increased corporate security, fewer companies would experience a successful email-based phishing attack.
True education gives people the skills they need to apply knowledge when confronted with a new situation.
A real-life cautionary tale
Let’s shift to a real-world, real-life example. As a cybersecurity and privacy writer, I often write about phishing attacks, especially when discussing access management and endpoint security. I can describe how phishing attacks work, the fact that they prey on human emotions, and how to spot them.
According to every cybersecurity training I’ve taken and all the research I’ve done, I should be able to spot a phishing attempt by looking for the following:
- Bad grammar
- Unexpected communication
- Urgent tone
- Request to act, including clicking a link or downloading a document
Intellectually, I know these markers. In most contexts, I pickup the hint. No, weird admin of my organization’s email account, I don’t need to reset my password.
The phishing attempt
However, let’s move out of the work context for a moment. Here’s the important background information you need to know:
- I am a team manager for a youth travel soccer team.
- The league has all of our email addresses on their website.
- The people running the league are not technically savvy.
- I am not an incredibly active volunteer.
- I am not an incredibly easy-going human.
- I worry a lot about making mistakes.
- I send out team emails every Thursday morning between 8am-9am.
Now, every single bullet point is important to the phishing attempt that almost got me. Most importantly, I didn’t ask to have my email posted on the league’s website, but even a little bit of exposed personal data can be used by social engineers.
As I’m typing away on my weekly Thursday email, the following exchange occurs:
- 8:38am: Email from the Head of the League asking, “do you have a moment for a phone call?”
- 8:40am: I respond, “Yes.” Immediately, I focused on “did I upset a parent?”
- 8:42am: Email response from Head of the League, “I’m heading into a meeting, I need you to do a favor for me that would make you and the League look good.”
- 8:45am: I distractedly responded, “What is it?” I head back to composing my email to the parents.
- 8:48am: Email response from Head of the League, “I need you to buy some gift cards for the managers.”
- 8:50am: I distractedly responded, slightly irritated, “I don’t have a lot of cash flow right now. How much are you looking for?” I finished my email to the parents.
- 8:55am: I suddenly think to look at the email address used by the Head of the League. It is not his. I ignored the followup email requesting that I go out, purchase $400 of gift cards, and send him the codes.
If you’ve never been involved in youth sports, let me give you just the hint of context that matters here because it does matter. Social engineers use psychology to trick their targets, and the social context of youth sports matters here:
- Youth sports team managers are often asked to front money and get reimbursed later.
- Many team managers have personal relationships with the people in charge of these leagues.
- Youth sports are very political.
- Parents’ actions can reflect poorly on their children, impacting their ability to play or be on a “good” team.
Every email that I received during this phishing attempt fit in the context of being a youth sports team manager:
- Our Head of League is not a wordy person so short emails made sense.
- I am often asked to pay for things out-of-pocket to get reimbursed later so the idea of being asked to purchase gift cards made sense.
- I was not surprised that the Head of League would choose physical over digital gift cards because that fits with how technology use across the league works.
How did I suddenly realize that this was a phishing attempt? Let’s go back to point five in the “things you need to know about me.” I am not an easy-going person. I don’t have any relationship with the people in charge of the league, unlike other parents. Once I realized that this wasn’t going to be a call about something I’d done wrong, I was able to process the events.
Not every parent was as lucky. I found out, after warning some other parents that I know, that one team manager did as requested because for that person doing a favor fit in the context of their relationship with the Head of League.
Context matters, and most cybersecurity awareness training programs fail to consider that. Employees have personal digital footprints that cybercriminals can use against them. They may be able to recognize a phishing attempt at work, but they may not have been taught how to apply their training outside of work.
Without the ability to apply cyber hygiene and vigilance in the context of their personal life, employees create different risks, ones a business might not be able to mitigate. For example, an employee might use the same password for personal and business accounts. If that password is compromised, it also places the business credential at risk.
What should be included in cyber security awareness training?
Too often, people consider the list of topics that must be included in a cyber security awareness training as the complete response. At a minimum, employees need to understand the following:
- How to spot social engineering attacks
- Why password strength and multi-factor authentication (MFA) matter
- How to recognize threats, like malicious websites used in phishing attacks
Once cybersecurity awareness training programs provide these basics, however, organizations need to uplevel employee knowledge and skills so that people know how to go from “recognition” to “action.”
Understanding adult learning
Most online training programs, even those that incorporate more than a multiple-choice assessment, lack several factors that drive effective adult learning.
In “Leveraging adult learning theory with online tutorials,” authors Rebecca Halpern and Chimene Tucker outline the six primary principles of the adult learning theory:
- The need to know: provide context and explain the benefit of the lesson
- The learner’s self-concept: adult learners often resist didactic – or bossy – teaching approaches. They prefer to be self-directed with the ability to solve problems and take actions
- The role of the learner’s experience: using experiential learning enables adult learners to incorporate their work and life experiences into the process
- Readiness to learn: adults learn better when the situation or psychological reason builds on previous knowledge
- Orientation to learning: problem-based or task-centered exercises work best
- Motivation: internal factors such as goal-setting, career ambitions, or self-esteem drive adult learners
Most awareness training programs fail because they rarely move beyond basic information. Although they provide scenarios, they lack the context that adult learners need, rarely creating problem-based tasks or connecting to real world experiences.
How companies can embrace cybersecurity education
The problem most companies face is that employees don’t realize how large their digital footprint is or the impact it can have. Many people assume that compromised personal information has no relationship to their corporate security posture. Unfortunately, many people use the same password to stream movies and to gain access to their work applications.
In the digital world, the personal and the professional are deeply intertwined. By building out a cybersecurity education program that addresses how people learn, organizations can more effectively protect their assets.
Need to know
Fundamentally, organizations need to give their employees context and explain why the lesson matters. Although no employee wants to cause a data breach, many fail to understand the impact that their crossover between work and home can have.
By explaining the personal and professional impact cybersecurity has, employees become more invested in their cyber hygiene. Helping end-users understand their digital footprint gives them that personal connection and context they need. For example, you can ask them to enter their phone number or email into https://haveibeenpwned.com/ so they can know if they have compromised passwords and cease to use any that are.
Cybersecurity education involves giving people hands-on activities and experience. While getting everyone to pass a multiple choice test with a defined score helps you meet a compliance requirement, your end-users aren’t learning.
Phishing tests sometimes provide this hands-on experience, but many organizations use them to “trick” rather than to “teach.” If you deploy a phishing test in your company, you need to consider what you want people to learn. For example, if your phishing test promises people an end-of-year bonus, it may fail to teach people anything other than you are willing to lie to them. Your objectives and the email you send should have defined objectives.
Most importantly, your phishing simulations should leverage the real-world behaviors and risks of those you are training. In the most recent revision to NIST Special Publication (SP) 800-53, the agency identifies the following control enhancement for AT-2 Literacy Training And Awareness:
Provide practical exercises in literacy training that simulate events and incidents.
Discussion: Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links.
By educating users about the dangers that come with our personal and professional digital exposures, workforce members can learn how to mitigate them, promoting self-directed action.
While cybersecurity awareness training focuses on their work lives only, cybersecurity education enables end-users to connect their personal and professional lives.
For example, asking end-users how they use social media, like LinkedIn, can give them that experiential education. Informing people how cybercriminals use LinkedIn as part of their open-source intelligence (OSINT) gathering can help them realize that their public data places them – and you – at risk.
Cybersecurity education provides end-users a way to build on what they already know. If your employees all pass their cyber awareness training module with an 80% or above, they understand basic cyber hygiene terms and concepts.
Cybersecurity education empowers people to apply these cyber hygiene principles beyond the sanitized training platform. Often, people don’t know how their own cyber hygiene impacts them personally. If you give them visibility into their digital footprint, they can take an active role in managing their digital footprint, applying basic cyber hygiene best practices in a real-world context.
True/false and multiple choice quizzes assess what people memorize. However, adults learn better when they can problem solve. When end-users watch the same training video and answer the same questions every year, they may memorize what the term “phishing” means, but they may never learn how to respond to one.
If you want to adopt cybersecurity education, you need to spend the time with your people and wargame. For example, your security team can embrace the attacker’s mindset and follow this exercise to identify the likely human targets in your organization. They could then create realistic simulations based on their findings, and see how employees would respond.
Although you can’t control your end-users’ internal motivations, you can help support them. Cyber awareness training often fails to take end-users into account, but rather focuses on what you and your business care about – protecting corporate data.
Cybersecurity education meets end-users where they are. Understanding and responding to end-user motivation is often the most challenging part of cybersecurity. Financial compensation, however, can be a strong motivator. If you have insight into each end-user’s social engineering risk profile, you might be able to offer gift cards or other small rewards for the people with the lowest risk rating.
Education - not just awareness - is more effective at preventing attacks
People are complex which is one reason why social engineering is a complicated security problem. You can’t control your end-users’ digital lives, but you can educate them in meaningful ways and help them reduce their personal attack surface. The most effective way to streamline this process is with Picnic.
Picnic combines full visibility of an employee’s exposed data from the perspective of an attacker with the means to reduce risk by managing that data. Since Picnic’s technology gathers all available data and analyzes it exactly like threat actors do, users are provided with a realistic and complete picture of their exposed attack surface. By pairing this data with automated threat modeling and risk analysis, Picnic enables security teams to prioritize defenses while also leveraging tailored awareness training content and advanced spear-phishing simulations based on actual behavior and risk. The result is an employee population that knows their personal exposure and risk and is able to continuously reduce their attack surface.
For high-value targets such as executives, Picnic combines automated search and analysis with human-powered reconnaissance and social engineering risk assessments to detect and flag specific risk scenarios, like my own soccer league example above, as potential avenues of compromise before they happen. Any such risk is then communicated to the individual in an executive risk report.
Since Picnic removes or neutralizes the data that would otherwise fuel these attacks, it supplements compliance-mandated cyber awareness training because it mitigates risk before threat actors can actualize an attack. At the same time, Picnic provides tailored education and actionable remediation strategies that reduce the data that attracts cybercriminals in the first place.