• United States




5 reasons users hate cybersecurity awareness training, and how to make them love it

Oct 10, 20198 mins
IT SkillsSecurity

If you want your security awareness training program to be effective, address these common user complaints.

It’s no exaggeration to say that most employees hate taking cybersecurity awareness training. It doesn’t have to be that way. I know of many security awareness training managers that do it so well that their employees not only enjoy it but ask for more of it. I know you think I’m lying, but I’m not. Here are some common complaints of security awareness training and how to make your users love it.

1. Cybersecurity awareness training is boring

It can be boring, at least the way most organizations do it. Make it more exciting, vary it, and make it a game. The average security awareness training involves a video presentation done by someone who could be explaining how babies are born or explaining the periodic table of the elements. It’s staid and unemotional. You’re lucky if it has some graphic elements or music in it.

I’m not saying that your security awareness training video has to be done with the shock jock energy of Robin Williams in the movie Good Morning, Vietnam, but you want your training to err on the side of too much energy.

The best training videos I’ve seen are from energetic presenters who know how to vary their voice and emotional pitches. They bring us along for the ride. Some of the most impressive videos I’ve seen use professional actors, cool backgrounds, background music, have storylines, and are shot by Hollywood-style production teams. It isn’t just one-camera shots from an iPhone with someone standing in front of a screen or chalkboard.

Security awareness training videos that look like professional, Netflix-style episodes are the ones I’ve seen employees ask for more of. Security awareness training companies do this sort of thing, or professional production companies will customize videos for your company. (Full disclosure: I work for a security awareness training company.)

Vary the training. If all you’re doing is showing videos, no matter how exciting they are, it’s going to get boring, especially if it’s the same style all the time. Instead, switch training content up. Use some videos that are entirely comics. Gamify the training. I’m not a gamer but turning education into a game appeals to a lot of people.

One of the most common games I’ve seen in security awareness training is where simulated, fake, phishing emails are sent to end-users, and the end-users are given a “button” in their email client that they can click to report any suspected phishing email. If the end-users of a group report 100% of the fake phishing emails in a given time period, they receive a reward. It can be special recognition in a company newsletter, gift cards, or a pizza party, for instance. The great part of this is that the users will be more likely to report real phishing emails having been part of the game.

2. Employees don’t understand the importance of security awareness training

Most end-users don’t understand the importance of security awareness training. When I was at Microsoft, every year I had to take training on the “Foreign Corrupt Practices Act” so I wouldn’t accidentally bribe a foreigner to buy Microsoft products or be bribed by a foreigner. My job in no way could ever be stretched to put me in a situation where that was going to be a possibility. I hated wasting my time on that training.

Most employees feel that way about all training, or at least training on something that hasn’t impacted their lives yet. Make sure that employees know how important security awareness training is to their own success and to the organization’s.

If the organization has been hacked, don’t hide the details. Let all employees know how it happened, what the hacker did, and how it could have been avoided. The best security awareness training videos I saw included the organization’s own employees relating how they got phished into clicking on something they shouldn’t have. They could see a coworker sharing how it happened, what mistakes they made, and what they could have done better.

Share the real-life stories of organizations like yours that have been hurt by cybersecurity incidents. With ransomware rampant, there are plenty of stories of companies and even entire cities shutdown for days to weeks, or that never recovered from a single cybersecurity event and shut down.

3. Security awareness training isn’t personal

If you want to make someone care, make it personal. Don’t just train them for protecting your business. Let employees know you care about them and their families. Give them training and tools to help them be more cybersecurity aware at home. Employees who train their spouses, parents, and children in cybersecurity awareness will be one of your best defenders at work.

4. Security awareness training isn’t timely

Make sure your security awareness training program is personalized, targeted to the user’s role, and appropriate for the time of the season. I didn’t like taking Foreign Corruption Practices Act training when it didn’t apply to me. No one would.

For example, don’t give training on how to avoid fake invoices and malicious wiring transfers to employees who don’t pay bills. When tax season rolls around, however, make sure all employees are trained on how to avoid fake W-2 information request schemes for their personal tax identification information, and that HR/payroll department employees receive training in how to avoid fake W-2 information requests from someone claiming to be their organization’s tax processor. Give instructions on how to avoid fake gift card scams around Christmas. Instruct people on how to appropriately patch their systems and how to appropriately recognize their installed anti-malware programs so they can’t be fooled by a fake version of either.

5. Security awareness training feels punitive

A lot of employees have told me how security awareness training seems one-sided and punitive. They have to take the training in a certain amount of time or they’ll get in trouble. You’ve got to motivate people to take the training, but if you make it fun and different, you can motivate people to want to learn more. The gamification I talked about earlier is a good way to do it.

For example, tell every employee who reports 100% of all real and simulated phishing emails for a year, that they will get an Amazon gift card. Make the amount enough so that they will care. Then tell them to watch a few videos to learn about what to be on the lookout for. Tell them every month they’ll get a different topic and that they’ll be tested on that topic and others in the following month. One month the topic is W-2 phishing and the next it’s a “clean desk” or screensaver lock audit. The gift card might cost your company $25, $50 or $100, but the return of a well-trained employee will be far more than that.

On a related note, I’m often asked if an employee should be fired or disciplined for failing a test or a real threat event. I know of companies, often in the financial industry, that will fire employees for one failed phishing email. I (and a thousand others) can phish anyone. If you signed off on that policy, know that someone can easily phish you.

You might think you can’t be phished, but you can. It has nothing to do with intelligence or street smarts. Everyone can be tricked. Everyone can make a mistake. I don’t understand unforgiving or overly harsh penalties, especially for first-time offenses. You will get far more productivity from an employee who feels valued and who has been given the appropriate training.

This is not to say that someone who always clicks on everything and does nothing to help strengthen your organization’s cybersecurity shouldn’t face consequences. Maybe those consequences are locking down their browser and email system so they can only communicate with pre-approved places and people, at least until they prove on successive future tests that they are responsible citizens who care about the organization. Having a locked down workstation is a pain, but at least they will understand the penalty and be given a chance to grow and improve.

Mastering Cybersecurity Awareness Training

If you are in charge of your organization’s computer security awareness program and you haven’t already read Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behavior, you should. It’s written by my friend and co-worker, Perry Carpenter. Perry ran security awareness training for a big company and then monitored the industry as a Gartner analyst. The book is far more about human psychology and what really motivates people to listen and learn than computer security education. It gets to the root of the issue.

I know many companies whose cybersecurity awareness training programs use all these tactics. They and their employees are better, happier, and safer because of them.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author