Enterprise cybersecurity technology research that connects the dots.

A New Look for Risk in Awareness Training

Changes in the way risk is viewed are leading to changes in the way training is conducted.

The outline of a woman stands at the base of an escalator. Her arms, gesture to the spinning of gears in a shadowy head.
Image: Gerd Altmann via Pixabay

Cybersecurity awareness training has always, at one level, been about risk. Whether you subscribe to the notion that employees are your first line of defense (they're not) or that employees are your last line of defense (there you go), it really can't be argued that employee behavior plays no role in the risk facing an organization. This statement is true whether we're talking about cybersecurity or construction site safety, but the last year has seen a dramatic change in the ways that companies talk about, think about, and act on the connection between risk and employee training.

One of the strongest drivers of this change has been the role of cyber-insurance providers in the cybersecurity industry. Cyber insurance is now seen as a product as necessary as property and casualty insurance for most companies. And since cyber-insurance companies charge for their product — a product based on risk — the cost of that product, and therefore the cost of risk, has bubbled to the top of the business conversation topic list.

A New Goal

Today, the goal of cybersecurity awareness training is less about creating an educated workforce and more about reducing the risk of an uneducated workforce. Those might seem to be two sides of the same coin, but there is a critical difference: how success is demonstrated. If the goal is to produce an educated workforce, then assessing training success can come through tests that ask questions about the lesson just taught. The key is finding out whether the student gained information from the lesson.

If, on the other hand, the goal is to reduce the risk of an uneducated workforce, then assessing training success must come through a demonstration of changed behavior. The issue is not whether the student acquired information but whether the student puts that information to use to behave in a way that is less risky for the organization. Put simply, it's not what the employees know but what they do that matters.

The New/Old Training

Cybersecurity awareness training has always been a two-part educational service. The first part is knowledge transfer, while the second part is changed behavior. The new goals and new conversations don't change that fundamental makeup, but they do change the emphasis of the process and how it is thought of throughout the organization.

With the emphasis shifting to reduced risk, the spotlight is on changed employee behavior. Customers, then, will force training providers to discuss how they change behavior (and measure that change) rather than how they engage employees or keep employees' interest over the length of a training course. Many companies will frankly not care how a training product works as long as it produces the desired, measurable change in risk.

Some training providers are beginning to recognize the shift and more change is on the way. During the training evolution, it is likely that the industry will see muddied messages, new ways of describing the product and new ways of measuring training success. Customers who make the most of the changing reality will be those who remember that the two primary pieces of cybersecurity awareness training haven't changed — the training providers who have produced the best results in the past are likely to have a solid starting advantage as we move into the future.

About the Author

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights