The unfortunate reality is that the majority cybersecurity awareness programs end up being managed
by a junior IT professional - most likely the latest to join the IT team - that does not like the job. We
often hear program managers saying, “I hate phishing,” which is logical since they are not set for
success.- No access to playbook – Most of cybersecurity awareness program managers do not have access
to a proven playbook and best practices that they can follow so they end up guessing and
experimenting. Instead of helping them make decisions existing solutions overwhelm them with a
long feature list they have no time, desire or expertise to try and use. A few of the challenges they
are facing include:
a. Defining groups to test - Is the engineering department, finance team or German office
homogenic groups to test? Should all the employees in these groups get identical training?b. Selecting the difficulty of what attacks to use - this is a super sensitive topic that could make
the program manager look bad. Selecting an easy simulation would result in low click rate and
as such no one will learn anything. Selecting a difficult simulation could be unfair to a certain
group of employees and upset the managing executive.c. Setting training frequency - Should training be done monthly, quarterly or annually? Should
high risk employees be trained more frequently? If so, how can this be accomplished?d. Determining how to handle high risk groups (new employees, serial clickers etc.) that have a
tremendous impact on the program results and with the lack of guidance fail to change
behavior.- Not relying on data - An effective training program must take into consideration employee
characteristics as well as their individual, ever-changing performance towards phishing email. While
existing solutions have a long list of features and reporting capabilities, they completely ignore this
the fact that humans are not alike, and we all have different way of learning. This is probably the most
critical issue that companies fail to address and the one that contributes the most to the poor outcome
of increasing number of successful phishing attacks.
A successful awareness program must be designed around the fact that each employee is unique and
should be trained accordingly. Data such as role, department and native language should be factored in,
but most importantly performance of past simulations should be analyzed and determine the level of
training difficult as well as frequency of training he should be receiving. Sounds complex? Well, once the
company has more than a dozen employees, it gets complicated and the only way to do it well is using a
data driven solutions.
Disclaimer: The writer is the CEO of CybeReady who developed an Autonomous Training Platform.
CybeReady was developed by a couple of frustrated cybersecurity trainers that after developing a proven
training methodology while serving in the National Israeli Security Agency (NISA) realized that executing
it properly requires a never-ending data analysis and teaching efforts that can only be performed using
machine learning technologies.