The human factor is absolutely critical in cyberdefense. Some of the most popular attack trajectories use employees as entry points to gain access to the network, and once that happens you are putting out fires. No one wants that.
Awareness training educates the workforce so that it will be less vulnerable to “social” attacks. But Small and Mid-size Businesses still tend to deprioritize this fundamental aspect of network protection. And those orgs that prioritize training tend to keep it virtual.
But is digital training enough? We’ll discuss a few studies so you can decide for yourself.
Evidence for Computer Cybersecurity Awareness Training (with an important “but”)
There are plenty of great reasons for computer-based training. Any decent program will deploy some materials digitally, since most social hacks deploy through emails, false websites and other digital tools.
Computer-based programs work well when they deploy fake social hacks, track responses, and then let employees know. Receiving a report that demonstrates how protected you are against social hacks can help motivate employees and leadership.
The data is also incredibly compelling. A Knowbe4 case study showed that initially a financial services organization was extremely social-hack vulnerable; 27% of employees took the bait from the initial test. That is one out of four employees in an industry that is heavily targeted, in a large organization where every employee received standard onboarding materials and took an annual test.
One year of a primarily computer-based training program reduced that number to a 2.17% click-rate. That is over a 90% reduction in security threats.
If their business started out with a big target painted on it, then training succeeded in reducing the size of that target to a bull’s-eye. In order to penetrate defenses with a social hack after the training you would need to be a rare combination of lucky and good.
Admittedly this isn’t an ideal example. Not only is the org large, with a dedicated IT Dept and Risk Management team, those teams also managed the tests. They even reported experimenting with different attack trajectories and getting “crafty” in their attempts to fool more employees. Although there weren’t a lot of in-person sessions there was clearly organizational involvement.
This level of involvement is consistent with successful programs. Executive leadership is highly correlated with effectiveness of awareness training (Creating Environments for Successful Awareness Programs, 2018).
No one cares if their boss doesn’t care. Similar reasoning suggests there isn’t an automated silver bullet for cyberdefense awareness. It takes at least some management in order to deploy the right tests, but the critical feature is persuasion. Whenever you need people to change behavior, it’s best to work with a bit of carrot and a bit of stick. You need leadership to validate importance and even better if you can convince people that cyberdefense is important for the good of the organization.
Cyberdefense: The Human Factor inside the “Human Factor”
At a certain point you have to step back and enjoy the irony. We are discussing how to address “the human factor” of cyberdefense without humans.
We want to execute a cybersecurity training program that is supposed to impact the human element without humans. Does that strike you as weird?
It should. Cybersecurity can be an incredibly academic subject, but the sort of behaviors we note as the ‘human element’ could not be any more human. Any digital program needs to be validated and motivated by real authority figures.
In our professional opinion the computer component of cybersecurity training is a useful tool, but the human element is critical.
As part of our SMB network security offering we include in-person trainings and find them invaluable to ensuring the 100% protection rate of our clients. Could you skate by without in-person training meetings and management of the program? Possibly, but we would not recommend it.