Security Think Tank: Training can no longer be a compliance exercise

Historically, security training has tended to take a compliance-based focus, a ‘tick-box’ exercise using generic, off-the-shelf courses. This needs to change, says Hayley Watson of Turnkey Consulting.

Hayley Watson

By

Published: 28 Feb 2023

‘Humans are the weakest link’ has been the refrain of the IT security community for many years and, with social engineering attacks becoming ever more prominent and sophisticated, an organisation’s people will continue to be one of its biggest security risks.

Despite this, educating this core line of defence has tended to take a compliance-based focus, a ‘tick-box’ exercise using generic, off-the-shelf courses outlining the perils of social engineering, with little included to raise awareness around why training needs to be undertaken. Perhaps unsurprisingly, one of the biggest challenges is getting the average system user to complete this cyber security coaching, which is often seen as an inconvenience and not the key enabler in defending the perimeter that it is.

A risk-based approach

However, 2022 saw training and awareness start to evolve to take a more balanced ‘human risk’ approach. This acknowledges that there is a significant risk of people clicking on phishing emails and Business Email Compromise (BEC) scams, and that more should be done to manage it in the same way as other organisational risk, with targeted remediation and mitigating controls applied.

One focal point is the area of behavioural change. While it is possible to show if someone has completed a cyber security training module, few security tools can indicate whether the individual has paid attention and is actively making smarter decisions to reduce the risk they encounter every day. Altering behaviour generally requires a different approach – one that incorporates targeted training, repeated at frequent intervals to ensure the key points are retained and acted upon. (This must be undertaken without overloading the user with constant reminders, or lengthy exercises – both of which are likely to be ignored.)

Typically, business areas such as HR, finance, and IT support get most of the attention levelled at cyber security training as they have access to confidential information or privileged access to applications and processes. But a more advanced approach is to review all parts of the business; analysing incident reports will show where risks are materialising, and training completion rates, along with scores from short tests undertaken after the course, will indicate where people struggle. The threat landscape, and its change over time, also needs to be a consideration as it will indicate where to focus in terms of improving staff knowledge and awareness.

Going further, training should be graduated based on the risks that are present within a particular job role and the impact to the business, should the person in that role be compromised. The education (and testing of that education) of an employee who has privileged access to servers, databases or applications for example must have more rigour applied to it than that of someone with no access to IT assets; to do this effectively requires some alignment of training delivery with identity provisioning, based on the risk profile of assets.

Training tools

When it comes to the content itself, the simulation of security incidents is now a mainstay of training and awareness programmes, and a key component in helping organisations to understand their risk. These typically take the form of phishing simulations, which are invaluable for measuring how individuals react when they receive something suspicious.

Gamification, which is becoming increasingly popular in many other areas of learning, is a way to make cyber security training more fun and engaging; enabling employees to play out a disaster scenario can demonstrate the importance of security measures by helping them to visualise what an attack or breach may look like from start to finish.

Other successful and creative training methods organisations have deployed include getting employees to watch relevant TV shows (such as Mr Robot) and turning security training into a mini-TV series of their own. Facilitated ‘wargame’ sessions for senior managers, in which one side acts as attackers and the other as defence, is also a good way to help people understand some of the techniques and challenges. The key is getting to know the audience and what will work to engage them.

It’s also important to acknowledge an organisation’s culture and where people are based geographically. Some parts of the business could react differently to the types of training on offer. Gamification, or introducing leader boards, might be a huge hit in one part of the enterprise for example, but ridiculed by another.

Make it personal

A key element of security training and awareness activity is communicating the responsibility that employees have to keep the company safe, as well as ensuring that they perceive there to be a real threat. Content needs to provide real life examples that are applicable to the audience and the level of risk associated with their role and the industry. Emphasising the impact an attack could have on the employee, as well as the organisation, provides an ‘emotional’ hook, and encourages people to look at what they can do to avoid falling victim in the first place.

Educating employees on cyber risk in the personal context so that they change their behaviour when handling their own information, is likely to also have a positive impact on their actions in the workplace.

An ongoing process

Most people won’t overtly deal with cyber security in their daily tasks, meaning skills and facts may not stick in their minds; training therefore needs to be an ongoing process. This is where integrated tools such as KnowBe4 are useful; the platform allows organisations to periodically send simulated phishing attacks across the enterprise, testing employees’ awareness of phishing and reactions to it. Emails can be edited to mimic any threat employees may face, they also encourage staff to go through the process of reporting the attack within their email interface, thereby providing a physical refresher of what to look out for and how to deal with it.

Carrot not stick

The key to successful security awareness training is to engage all staff in the overall journey, with a key contributor to this approach being incentives for reducing cyber attack based risk, such as bonuses or gifts for the teams with the lowest click-rate on phishing emails, or publicly praising employees who correctly identify genuine phishing attempts or suspicious behaviour. Creating ‘security champions’ within the business provides an aspirational goal, and competition between divisions or locations for the best performance in training can be beneficial.

It’s critical however to avoid a punitive approach; if someone fails a simulation test (or any other type of training module), the message needs to be supportive and educational. Making people feel foolish leads to resentment, an unwillingness to undertake further training and potentially a reluctance to report future incidents for fear of being embarrassed again.

A secure culture

As organisations large and small continue to be hit by cyber attacks, there is no doubt about the need for protection. Technology has many of the answers, but it must be reinforced with knowledgeable and engaged employees, who each understand their role in keeping out bad actors. This requires a commitment to cyber security education, as well as a desire to see training evolve to better meet the needs of today’s enterprise, while helping to make security awareness part of the organisation’s culture.

Read more on Security policy and user awareness

Read More
Rebecka Geddes

Latest

Airline spends four days without flying as bankruptcy rumors swirl

Please enable JS and disable any ad blocker

3 AI Memory Stocks to Watch in July 2026

AI memory stocks have been the loudest trade of 2026, as the scramble for the chips behind every AI server pushed prices and profits to records. But the three names below share the same strange split. The business has never looked stronger, yet the money flows are quietly turning cautious...

Zoomex X Space recap with David James and the World Cup trading panel

James said real pressure for keepers comes in the silence between shots. At Liverpool, City, Portsmouth and England, preparation shaped James. For traders too, instinct works only when built on the right information. Zoomex hosted the third episode of its World Cup Edition X Space as part of the Zoomex World Cup Impact Pledge, bringing

Kalyan Jewellers shares fall 6% despite 38% revenue growth in Q1

Home Market News Kalyan Jewellers shares fall 7% despite 38% revenue growth in Q1 Kalyan Jewellers' international business also maintained strong momentum, with revenue rising nearly 35% year-on-year. 2 Min Read Shares of Kalyan Jewellers India Ltd. fell as much as 7.5% in early trading on Tuesday, July 7, despite the jewellery retailer reported a

Newsletter

Don't miss

Airline spends four days without flying as bankruptcy rumors swirl

Please enable JS and disable any ad blocker

3 AI Memory Stocks to Watch in July 2026

AI memory stocks have been the loudest trade of 2026, as the scramble for the chips behind every AI server pushed prices and profits to records. But the three names below share the same strange split. The business has never looked stronger, yet the money flows are quietly turning cautious...

Zoomex X Space recap with David James and the World Cup trading panel

James said real pressure for keepers comes in the silence between shots. At Liverpool, City, Portsmouth and England, preparation shaped James. For traders too, instinct works only when built on the right information. Zoomex hosted the third episode of its World Cup Edition X Space as part of the Zoomex World Cup Impact Pledge, bringing

Kalyan Jewellers shares fall 6% despite 38% revenue growth in Q1

Home Market News Kalyan Jewellers shares fall 7% despite 38% revenue growth in Q1 Kalyan Jewellers' international business also maintained strong momentum, with revenue rising nearly 35% year-on-year. 2 Min Read Shares of Kalyan Jewellers India Ltd. fell as much as 7.5% in early trading on Tuesday, July 7, despite the jewellery retailer reported a

‘Worst thing about Cristiano Ronaldo’: Messi fan’s farewell to CR7 goes viral after Portugal vs Spain | World Cup 2026

Verified Messi fan Appie Cule has posted a lengthy farewell to Cristiano Ronaldo. This came after Spain beat Portugal 1-0 at the World Cup. That defeat effectively ended Ronaldo's World Cup career for good. Cule framed the post as Ronaldo's definitive "last dance" moment. The post argued Ronaldo had set impossibly-high standards for himself. It

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity

Business Insurance-AZ Achieves Record Response Times for 2026 Arizona Construction Bids

Business Insurance-AZ achieves milestone response speeds for commercial construction bids across Arizona, accelerating documentation delivery to keep local projects moving forward without delay. Phoenix, AZ, June 06-2026, ZEX PR WIRE — Business Insurance-AZ has achieved record-breaking processing speeds and response times for commercial construction bids throughout Arizona, directly supporting the state’s massive infrastructure and advanced manufacturing boom