Perry Carpenter, Chief Evangelist for KnowBe4 Inc., highlights the importance of security awareness training (SAT) to combat cyberattacks stemming from human error. Despite the increasing adoption of SAT, many training programs are failing to effectively address issues such as phishing scams and safe online behavior. Carpenter outlines nine reasons why these programs may be ineffective, including a focus on awareness rather than behavior, a lack of metrics-based approach, and failure to understand employee resistance.
One key issue highlighted by Carpenter is the importance of measuring the overall state of security awareness among employees and understanding their current behaviors, attitudes, and perceptions. Without this data, organizations may struggle to target desired behaviors effectively. Clear communication plans, rooted in marketing strategies, are also crucial for engaging employees and reinforcing security messages over time.
Employee resistance to training programs may signal a need for changes in format, relevance, or delivery. Incorporating feedback from participants and adjusting the training program accordingly can lead to increased engagement and ultimately more effective outcomes. Leadership involvement is also essential for promoting a culture of security and ensuring sufficient resources are allocated to security training efforts.
Personalizing the training program to employees’ job roles and security proficiency levels can enhance its impact. Utilizing simulated phishing tools to test employees’ ability to detect threats in real-world scenarios is also recommended. Punitive approaches to training should be avoided in favor of educating and empowering employees to adopt secure behaviors and mindset while creating a positive, motivating environment.
In conclusion, Carpenter emphasizes the need for organizations to go beyond traditional training methods and truly understand the needs and expectations of their audience. By focusing on behavior change and targeted, personalized training, organizations can reduce human risk, enhance their defense against cyberattacks, and ultimately improve their overall cybersecurity posture. The insights shared by Carpenter offer valuable guidance for organizations looking to strengthen their security awareness training programs in today’s rapidly evolving threat landscape.
