The success of cyber security awareness learning in organizations today is, typically judged by the ‘ticking of a box’ to say it’s been done.
But have organizations – and their managers responsible for information security awareness learning – really stopped to ask whether the programmes their people do are giving them the practical advice and skills to display the behaviours and actions required to manage effectively the cyber risks we face? After all, the organization’s reputation, competitive advantage and the confidence of its customers depends on that.
At present, many workplaces rely on annual, cyber awareness e-learning. In fact, the research we conducted recently with Ipsos MORI showed that 82% of organizations are using traditional, computer-based training and e-learning. And, as reported in a previous blog post, our survey showed that less than a third of them (28%) believe their cyber security awareness learning is “very effective” at changing staff behaviour, with only 32% “very confident” that the learning is relevant to staff.
I would contest that this type of learning leads to an inescapable conclusion: it’s designed once for people who do it once and, ultimately, forget it at once. It’s a paradox: why is the training currently deployed to combat cyber crime – one of the emerging crimes of our century – not fit for the job?
In this vital area of staff training and development, one size doesn’t fit all and traditional techniques are unlikely to instil the cyber resilient behaviours that employees need today. Instead, there needs to be a range of learning techniques that truly engage all our people, embedding and sustaining the resilient behaviours required to more effectively protect an organization’s most sensitive and valuable information and systems.
According to our research, fewer than a third of organizations are using new and proven learning techniques such as simulations, animations and games. We should be hailing these workplaces as trailblazers, tapping into learning methods that give their staff the skills and confidence to take the right decisions at the right time.
This has to be the way forward. With only 46% of organizations giving their people information security training that goes beyond induction and once-a-year e-learning, that leaves a lot of workplaces with a worrying level of cyber vulnerability among their staff.
Directors and managers responsible for security awareness learning and training must review its value with some urgency and decide what needs to change. AXELOS has produced a new, downloadable guide to help organizations do this. It includes guidance on what topics should be covered in cyber security awareness learning, along with recommending essential steps to improving organizational cyber resilience.
While people remain the greatest vulnerability for most organisation, they can also offer the greatest opportunity to make organizations more cyber resilient. With the right learning styles and delivery techniques, the human factor can provide your most effective defence to the growing cyber risks all organizations face.
Download our cyber resilience guide, Are your people playing an effective role in your cyber resilience? (PDF, 165KB).
See our RESILIA™ section for more information about cyber resilience.
Read more AXELOS Blog Posts from Nick Wilding
Did you know you were a whale?
Cyber resilience: How important is your reputation? How effective are your people?
A cyber resilience Q&A with Karoliina Ainge, head of Estonian cyber security policy - Part 2
A cyber resilience Q&A with Karoliina Ainge, head of Estonian cyber security policy - Part 1
Cyber Resilience: it’s all about behaviours - Digital Leaders Conference presentation
Cyber Resilience: it’s all about behaviour, not bits and bytes
Cyber Resilience: We need to TalkTalk
Cyber Resilience: developing a new language for all
Looking for Business Leaders in the Cyber Resilience Race