Why 90% Of Cybersecurity Awareness Programs Fail At Launch
Avoid these mistakes in your awareness programs
“ I just click through the slides as fast as possible to reach the end.”
A friend recently dropped this line when discussing his mandatory cybersecurity training.
We have all heard that “Users are the weakest link” and why Cybersecurity awareness programs are so essential .. blah blah.
Yet, the vast majority of programs fail in their purpose of educating people, I would say.
Most people roll their eyes when the mandatory training comes along and try to get through it as quickly as possible.
In this article I mention a few key reasons I have seen for this failure and some practical tips to improve.
This is, of course, my 100% subjective opinion, so please do not assume I am talking about your organization :)
1. “Death by PowerPoint” Syndrome
Ah, yes, the dreaded “Death by PowerPoint.”
In many cases, the awareness session consists of lengthy slide decks filled with technical jargon and complex information.
Usually, it is a member of the cybersecurity team lecturing a disengaged audience or a pre-recorded, online training.
The focus is more on delivering information than ensuring it is absorbed and understood.
While PowerPoint presentations are helpful.. over-relying on them leads to the following:
Lack of Engagement:
PowerPoint-based presentations are often one-way communications in which the audience listens passively, with little opportunity for interaction.
Without engagement, employees tend to zone out, forget the material, and fail to understand the security concepts.
Information Overload
No one likes listening to a two-hour presentation, especially those that are “mandated.”
These presentations tend to cram too much information into a short time, making it difficult for employees to retain the key points.
Complex slides, filled with excessive text and diagrams, can overwhelm and confuse participants rather than help them understand the threats they face.
Boring Content
Easily the biggest problem
The program fails to capture employees ' attention when cybersecurity concepts are presented as a long series of dry slides.
Even critical topics like phishing, password security, and malware become snooze-fests in this format, leading to poor retention and application of security practices.
2. Outdated Content
I hate to tell you this, but nobody gets excited when reading about phishing and malware in 2024
Most cybersecurity awareness programs fail to stay updated with current cyber threats.
I kid you not, but I have seen many programs still teaching people to identify phishing scams based solely on grammatical errors or obvious typos.
This advice was helpful ten years ago but is obsolete in the age of GenAI
Are you teaching users about how to identify AI-powered attacks?
Can they distinguish deepfake programs from real ones?
Have you checked if they can identify AI-generated voice phishing from a natural person’s voice?
These are the tactics you should be talking about ( and teaching ! )
Relevant examples resonate with employees and give them the awareness they need to handle real-world cyber threats.
3. One-Size-Fits-All Training
This is a bit more difficult to implement, but worth it!
Cybersecurity awareness programs are often designed as one-size-fits-all solutions.
This fails to account for the diverse roles present within an organization.
This lack of customization can alienate employees, make the material feel irrelevant, and reduce the effectiveness of the training.
Training designed for entry-level employees may not be relevant to IT professionals. At the same time, executives might require a higher level of awareness about social engineering threats like spear-phishing or BEC scams.
Tailoring programs to different organizational roles is crucial to ensure relevance and effectiveness.
In global organizations, cybersecurity threats differ by region.
For instance, certain types of scams may be more prevalent in some countries than others.
If awareness programs are not adapted to address these regional differences, they will fail to prepare employees in those areas adequately.
Without customizing the content for specific roles, levels of knowledge, or geographic locations, awareness programs often fail to provide useful, actionable insights for employees.
4. Lack of Real-World Application
Many programs fail because they do not provide employees with hands-on, practical experience in identifying and responding to threats.
The training tends to be theoretical and abstract instead of showing employees how to spot a deepfake attack email or prevent a ransomware infection in a real-world scenario.
For example, employees may sit through a lecture about GenAI phishing but never have the opportunity to practice identifying GenAI content in a simulated environment.
Without this kind of hands-on training, employees are less likely to apply what they’ve learned when they encounter actual threats in their inboxes or online.
Moreover, many awareness programs do not incorporate regular testing, feedback, or follow-up sessions to reinforce the material.
Employees might forget the lessons shortly after the training, especially if they do not regularly face cyber threats in their day-to-day work.
Hire a company to do a red team or simulation based on modern attacks to check how much of your awareness is being absorbed.
Transparently share the results with management so they can check the progress (or lack thereof) regarding awareness.
Here are a few tips you can use to improve the quality of your awareness programs:
Interactive Simulations: Use tools that allow employees to participate in phishing simulations or incident response scenarios. These hands-on exercises are far more effective at teaching employees to recognize and respond to threats in real-time.
Quizzes and Games: Gamifying cybersecurity concepts can make learning more enjoyable and memorable. To increase engagement, incorporate quizzes, challenges, or team-based competitions.
Storytelling and Videos: Instead of presenting dry statistics and data, use stories and real-world examples of cyberattacks to illustrate the consequences of poor security practices. Video content can also help explain complex concepts more visually and compellingly.
Using Real-World Examples: Incorporate recent, high-profile cyberattacks into the training to demonstrate how current threats operate. Employees are more likely to take training seriously when they understand that these are real dangers their organization faces.
Role-Based Training: Develop role-specific modules that address the unique challenges faced by different departments. For example, finance teams should focus on Business Email Compromise (BEC) attacks, while IT staff may need training on securing endpoints and recognizing insider threats.
Adjust to Skill Levels: Offer both beginner and advanced modules to cater to varying levels of cybersecurity knowledge. Employees with little experience should be introduced to the basics, while experienced professionals can benefit from advanced threat detection techniques.
Localized Content: If your organization operates globally, consider regionalizing your training to address specific cyber threats in different regions.