Shopping for the right security awareness toolset can be like shopping for a new car. So many features, designs, and considerations can be overwhelming. When you find the right one, you know.
Security practitioners can be as passionate about their security awareness toolset as they can be about their dream car. As a result, there’s a lot of bias in the space. There’s also a lot of salesmanship involved in the marketing and sale of security awareness.
This article seeks to help you cut through the buzzwords and puffery to find a solution that will work for you and your company. We’ll walk through some considerations for why you’d buy security awareness tools. Then we’ll cover some of the features you’d look for in those tools. Hopefully, by the end of the article, you’ll have an idea of what you want and can find the security awareness tooling of your dreams.
What does Security Awareness Training Achieve?
Security awareness training seeks to achieve a few things, supporting the core design of educating your staff about the dangers and signs of cyberattacks. Different security awareness training modules, services, and software seek to accomplish this in different ways—many combine other educational modalities or provide a tiered billing model based around them.
Inform About Cyberthreats
Security awareness training can provide information about cyber threats. Typically, that entails describing what a cyber threat is, how cyberattacks happen, and the results of a cyberattack. How that information is conveyed will vary; for purposes of this article, presentation style is a “feature.” That’ll be explained further on, but how your staff is trained will change the efficacy and impact of the training. But all the same, information should be conveyed between training.
Suffice it to say for purposes of the achievements of security awareness training, if, for example, you have phishing training, then the security awareness training will outline the following:
-
What phishing is – an attack by email or phone that attempts to defraud a business of its money or data;
-
How phishing can impact a business environment – threat actors can steal information, defraud a business of its money, or deploy malware on the business network;
-
What you can do to stop phishing – be careful of what emails you open and who you help, and above all, if you suspect wrongdoing, report it.
That information should be common to all training; how it’s conveyed won’t be.
Inform About the Impacts of Cyberthreats
Security awareness training should also make the impacts of cyber threats real and tangible. That can happen by identifying the downstream effects of security incidents arising from other manifestations of the same threat. Additionally, security awareness training can determine the financial and productivity impacts on your business and its users or clients arising from the threat. This is especially effective in companies that are designated “critical infrastructure” industries by the Department of Homeland Security Cyber and Infrastructure Security Agency (CISA). Some examples include:
-
Healthcare – downtime means that patients can’t be cared for, and patients in your care may suffer diminished outcomes. The exfiltration of Protected Health Information (PHI) will result in fines on top of lost profits, payments, lawsuit damages, and other financial penalties.
-
Finance – downtime means that people’s livelihoods are impacted and/or they can’t access their money. Fines may also be levied to disclose certain kinds of information in certain jurisdictions.
-
Utilities – downtime equals loss of power or water, which can impact all reliant industries.
-
Education – downtime has tangible impacts on educational technology and student records. FERPA and other data privacy laws may also be implicated if there’s data exfiltration.
Your specific business’ consequences may differ. Most security awareness training provides information sufficient to quantify and help train on cyber threats' immediate and downstream impacts.
Information About the Consequences of Cyberthreats
Each workforce member should understand their responsibilities for addressing cyber threats. Security awareness training shouldn’t only make the impact of cyberattacks and other cyber threats on a business real and tangible. It should also make the impacts of cyberattacks and other cyber threats personal.
What you decide to tell the workforce about their responsibilities is ultimately up to you. Typically, security awareness training is highly customizable, and this is one area where customization is advised.
Security awareness training platforms should provide advice in this space. How that information is presented and what you’re told to do will vary between security awareness training platform vendors.
Security Awareness Training Features
There are many features you should look for in security awareness training. Some of them may seem straightforward, and others more esoteric. As a baseline, you should identify the features you want and features you think will make your cybersecurity awareness training program effective for your business and workforce.
The security awareness training industry is constantly developing and re-focusing its efforts to keep abreast of imminent and relevant threats. Platforms are always being supplemented with new training vectors and modalities. You may also find other features that need to be covered in this helpful guide.
Here are some security awareness training platform features you can look for.
Does the Platform Cover the Basics
The prior section, “What does Security Awareness Training Achieve?” was drafted with a few key assumptions: that a security awareness training platform provided information and guidance about cyber threats, how to explain the impacts of cyber threats, and how to quantify the consequences of cyber threats.
You’ll want to verify those assumptions are, in fact, correct. If those assumptions aren’t correct and your security awareness training program doesn’t cover those key objectives, then you may want to reconsider the platform.
How Does the Platform Deliver Training?
Security awareness training platforms support numerous training modalities. Those modalities' efficacy depends on your training goals and how your staff is used to consuming materials. For example, if your staff typically consumes written training materials, then another form of training might be jarring or more disruptive than it is effective.
Some of the training modalities you can invest in include:
Text-based training
Text-based training is written training in the form of a multiple-page presentation conveying topical information about the training subject matter.
-
Pros:
-
Text-based training is typically highly customizable to meet your specific needs and messaging.
-
Digitally generated voice-overs can accompany text-based training; some offer human voice-overs but substantially less customization.
-
Neutrals:
-
These look and feel like PowerPoint presentations – passing judgment one way or another doesn’t make sense; they work for some people and not others.
-
Some platforms offer human-voiced-over training, which compromises the extent of customization.
-
Cons:
Video-based training
Video-based training is pre-recorded instructional videos highlighting and informing about cybersecurity threats.
-
Pros:
-
Training is visual and engaging and can convey information in a way that may be difficult for text-based training.
-
Higher production quality training can be psychologically more appealing than other training modalities. The information will stick better if people think they’re watching a movie.
-
Neutrals:
-
Cons:
-
While video training is more effective than paper training, poorly produced or scripted video training can totally thwart the purpose of the training.
-
Most platform providers will accommodate externally produced video training but won’t offer customization for video training. This can result in substantially increased expenses if your messaging doesn’t align with the training platform.
Questionnaire training
Questionnaire-based training typically manifests as a multiple-choice examination.
-
Pros:
-
Questionnaires or tests are engaging and can be used to supplement other training modalities.
-
Tests incentivize your workforce to demonstrate their knowledge and gauge their performance concerning cybersecurity awareness.
-
Questionnaires or tests can be highly customized to meet your organizational mission or needs.
-
Neutrals:
-
Typically, these don’t have an actual failure condition. While failure can be noted as part of the exam, there typically isn’t disciplinary action associated with the failure. Tests can be retaken until rote recall enables passing the test. Consequently, the staff understands more by iterative training, but that iterative training can be extensive.
-
Cons:
Gamified training
Gamified training is multiple-choice examinations with an attractive graphical user interface and/or video content.
-
Pros:
-
Gamified training is to questionnaire training, as video training is to text-based training. These effectively provide multiple-choice questions in a more engaging and interactive format.
-
Like video-based training, higher production quality training can be psychologically more appealing than other training modalities. Some training is like playing a video game, which can be appealing to some staff.
-
Neutrals:
-
Cons:
-
Gamified training might be a turnoff for some staff; they may need to appreciate the quality of the training or the potential complexity.
-
These are unlikely to be customizable because of the interactive nature of the training.
-
The workforce might find these tedious due to the length and complexity.
Security awareness training platforms may include one, multiple, or all training modalities. You’ll want to validate what you need for your business, the cost for those modules and modalities, and how you might integrate those into your training workflow.
Does the Platform Cover Phishing?
Per IBM, phishing is the most common entrée for cyberattacks. All training platforms should have some premade training about phishing identification and mitigation. They may also integrate this with active phishing training, which constitutes the ability to send out emails to the workforce, which simulates elements of an actual phishing email and identifies the failure to the recipient. A failure condition for that training may also redirect the user to another training modality for further education about phishing.
Your approach to phishing and training is highly personal. You need to identify the risk your workforce presents to your organization and the time (and wages) that training will consume. Put differently: you should be balancing the cost of your employees’ time against what you perceive to be the cost of downtime to your business resulting from the after-effects of a phishing email (which can range from thousands to millions of dollars).
If you believe that the cost of a cyberattack will exceed the cost of your workforce training, then that workforce training is a valuable training modality to have. Security awareness training platform vendors will also have recommendations in this space that are customizable to your needs.
What Other Cyberthreat Vectors are Covered?
Some security awareness training platforms cover many threat vectors and modalities, while others focus on core threats to your business based on environmental data. Only you can identify how much or how little training you want and the focus of your training. Depending on which vendor provides what training packages may inform or influence your decision.
Conclusion
There are numerous factors that will inform your decision about what training platform to purchase. If the training platform meets foundational training needs, you can’t go wrong. There’s a wide range of factors to consider, and many vendors offer elements that cover those factors.
Ultimately, the decision about a training platform is personal: it depends on what features you want and how the training is delivered. You should pick a platform that meets your needs and aligns with your corporate priorities. Fortunately, variety is on your side, and you will find your dream platform.
