The one-dimensional and outdated cyber security awareness learning provided by most UK organizations is not ‘fit for purpose’ and is limiting employees’ ability to understand what good cyber behaviours look like, according to research* from AXELOS.
The approach also does little to create, embed and sustain the behaviour change required in organizations to respond better to cyber attacks. While 82% of organizations are using traditional, computer-based training and e-learning, less than a third are deploying some of the latest learning techniques that offer more immersive and engaging learning for staff.
The research commissioned by AXELOS and conducted by Ipsos MORI shows that three information security learning methods dominate more than half of UK workplaces: computer-based training/e-learning, face-to-face and video instruction. New proven learning techniques are being adopted by a comparatively small proportion of organizations. For example:
- Simulations – 31%
- Animations – 26%
- Games – 14%
Compounding the problem, fewer than half (46%) of executives responsible for information security training in UK organizations with more than 500 employees provide ongoing information security awareness training beyond new staff induction or annual, e-learning refresher courses.
Nick Wilding, head of cyber resilience best practice at AXELOS, said: ‘Organizations are still trusting in their annual, cyber awareness e-learning. To expect this approach to influence resilient behaviours is unrealistic. Typically, this one-off course – required once, designed once, delivered once and completed once – is also forgotten at once.
‘It risks leaving staff ill-prepared and unaware of the practical things they can do more effectively to manage the daily risks they face. We need a new approach: just as technical controls will evolve and adapt in response to changing threats and vulnerabilities so we need to ensure all our people receive practical and engaging advice and refresher learning on a regular basis throughout the year.’
Wilding said that despite the almost universal belief (99%) among senior managers that information security awareness training is important to minimizing cyber security breaches, less than half that number (47%) are tailoring the learning to the jobs their people do. This is despite nearly two-thirds (63%) highlighting the importance of cyber security in minimizing human error in their organization.
He added: ‘One size simply doesn’t fit all in this critical area of staff development and neither does it support an organization’s investment in protecting its corporate reputation and competitive advantage.’
The AXELOS research also asked executives to identify what they thought were the greatest sources of risk for an information security breach. They said:
- 49%: intentional attack by external hackers, criminals, terrorists or activists
- 45%: unintentional error by employees or contractors
- 40%: intentional attacks by employees or contractors
- 17%: third party suppliers or joint venture partners as a route exploited by cyber criminals.
Nick Wilding said: ‘Organizations are underestimating the human factor risk, the vast majority of which relates to the honest and unwitting actions of an individual rather than malicious attack. An organisation’s people represent the greatest defence against cyber-crime but all too often they are its greatest vulnerability. And yet, as the latest insight from PwC’s The Global State of Information Security Survey 2016 shows, fewer than a quarter (23.69%) of CISOs, CSOs or other senior information security executives are advocates for employee security training and awareness programmes.’
AXELOS’ RESILIA™ Cyber Resilience Best Practice Portfolio includes certified training, awareness learning for all staff, leadership insight and a maturity assessment tool. Its awareness learning programme for all staff helps to fill critical knowledge and skills gaps, enabling employees to make the right decisions at the right time about information security.
AXELOS has produced a downloadable guide to help directors and managers responsible for information awareness learning and associated staff training evaluate the effectiveness of their current approaches and highlight potential improvements to managing cyber resilient behaviours.
Key documents - Cyber resilience: Are your people your most effective defence?
Read our report results (PDF).
View our infographic (PDF) illustrating some of the key points and statistics from the research.
Download our guide, 'Are your people playing an effective role in your cyber resilience?' (PDF).
* Research conducted by Ipsos MORI on behalf of AXELOS using an online panel of business executives who have agreed to take part in research surveys. Fieldwork conducted between January 5 and January 14 2016 with 100 business executives with responsibility for information security awareness training at their organization. Participants work at organizations with 500+ employees.