Top cybersecurity awareness training topics and factors that make training content a success
by Pushpendra Mehta, Executive Writer, CTMfile
Currently, the most popular cybersecurity awareness training topics are courses on phishing and malware, password security, email security, social engineering and ransomware, according to ThriveDX’s newly released 2022 Global Cybersecurity Awareness Training Study.
The results of this study were sourced from over 1,900 chief information security officers (CISOs), security leaders and information technology (IT) professionals worldwide.
While 96% of the survey respondents said that cybersecurity awareness measures have increased significantly in the last year, and as many as 97% of those surveyed stated that this has led to a higher level of corporate security, 65% of the respondents believe cybersecurity awareness training programmes need to expand. Eighty-seven percent of the study participants agreed that security advancement cannot be based on technical security measures (technology) alone, but it must also focus on security awareness training among people.
Increased maturity and benefits of cybersecurity awareness programmes
Fifty-eight percent of respondents now have some form of cybersecurity regulations in place, even as corporations are demonstrating increased maturity in cybersecurity awareness programmes. The use of mission statements, policies, guidelines, metrics and systematic training show higher levels of cybersecurity institutionalization.
Source: ThriveDX 2022 Global Cybersecurity Awareness Study
According to the study, the biggest organizational benefits of cybersecurity awareness efforts are better awareness (19%), greater vigilance (14%) and strengthened human firewall (12%). These top three responses combined account for almost 45% of the perceived benefits.
Improved overall security was ranked fourth, followed by employee understanding and better acceptance, safer behaviour and reduced incident risk, which were mentioned with similar frequency.
Challenges of implementing cybersecurity awareness programmes
Although cybersecurity awareness training has demonstrated benefits beyond IT security, with 99% of respondents indicating that security awareness has a positive impact on the company's error culture and 96% noting a positive influence on the working atmosphere, the complexity and multi-dimensionality of the subject results in implementation challenges.
User acceptance, understanding and the will to learn (25%), scarcity of resources (22%, comprising time, budget and staff), and running the programme and keeping it focused, attractive and effective (14%) were the three leading cited challenges to implementing cybersecurity awareness programmes.
Ensuring management support (9%), setting up and communicating the programme (8%), and managing change (6%) were other significant challenges associated with cybersecurity awareness training.
Measures to increase employee awareness
Awareness as a whole has increased. In addition to traditional training, e-learning and phishing simulation (88%) have become accepted tools for increasing employee awareness.
A large majority of the respondents (72%) observed that they do not inform or announce phishing simulations in advance. Only 20% of the study participants conduct more than seven simulations per year.
Source: ThriveDX 2022 Global Cybersecurity Awareness Study
The study report highlights a cautionary finding: “Only 42% of companies provide their employees with a ‘phishing button’ for reporting suspicious mails and subsequent threat analysis. A lot of protection potential and user motivation is still being wasted here.”
Smishing and bad media/USB hack simulations have minimal impact, with less than 10% of respondents using these awareness measures.
Top cybersecurity awareness training topics: courses on phishing and malware, password security and email security
Consistent with the people-centred approach, almost two-thirds (67%) of participants revealed that between two and 12 hours are budgeted for IT security training. It is notable that only 10% of respondents have an annual training budget of 21 hours or more (up to 50 hours).
The study also illustrates an unusually ‘even’ contrast between respondents (2%) that have no training budget available in their organization and those participants (2%) that have an annual training budget of 51 hours or more.
The three most prioritized cybersecurity awareness training topics are courses on phishing and malware, password security and email security.
Source: ThriveDX 2022 Global Cybersecurity Awareness Study
Social engineering and ransomware are the other two significant training areas, as per the chart below.
Source: ThriveDX 2022 Global Cybersecurity Awareness Study
Other important training topics include clean desk, mobile devices and security, physical security, public wifi, security incidents, and cloud security.
Most important factors that make awareness training content a success
“The top three success factors, with a share of 53.4% of the mentions for IT security awareness training, are course duration (21.2%), entertainment value (19.2%), and personalization (13%),” according to ThriveDX’s study. Personalization is the ability to customize training and adapt it to specific needs.
Source: ThriveDX 2022 Global Cybersecurity Awareness Study
Variety, relatability, quality and professionality, and relevance to personal life were the other noteworthy success factors in awareness training.
To conclude, “The ‘human factor’ remains in the crosshairs of cybercriminals, with 91% of successful attacks starting with a lack of employee understanding or awareness,” advises the ThriveDX’s study. While a greater emphasis on employee awareness is taking hold, most corporations still have a long way to go to achieve optimal employee training and secure their behaviour.
Successful cyber attacks start with the employee, so cybersecurity awareness training measures should always start with your employees. They are the key to your greatest security defence, and enhancing their involvement and commitment in the company’s vigilant chain with pre-emptive and regular security training (securetreasury.com) will likely change employee behaviour and improve enterprise security in a way that technology alone cannot.
Remember, cybersecurity awareness significantly increases corporate security, and ongoing employee training makes employees smarter and companies safer from cyber attacks.
Like this item? Get our Weekly Update newsletter. Subscribe today