Cyber threats like phishing attempts and social engineering attacks are on the rise globally.
According to Cybercrime Magazine, cybercrime will cost the world $9.5 trillion USD in 2024.
That’s $255,000 every second.
Meanwhile, 82% of data breaches contain the human element.
This makes cybercrime a unique threat in which people are both the cause and the solution.
Even with sophisticated technical solutions and filters, cyber criminals are finding new and creative ways to slip by protections and utilize social engineering tactics to exploit employees, and the rising costs of cyber attacks means its more important than ever for organizations to avoid a data breach.
Many organizations have a siloed approach to security, which results in a lack of accountability across the organization, and a sense that security is only an IT problem.
Keeping the organization secure should be a team effort, so implementing an effective security awareness training program is essential to mitigate the dangers of phishing and safeguard your organization.
There are many different approaches to employee cyber security training, and a slew of vendors offering a variety of training tools and services.
In this guide, we'll break down exactly wha you need to know when it comes to evaluating solutions...
We'll look at the flaws of typical cyber security training, how you can start to carry out training that genuinely changes employee behavior as well as the key features you should consider to protect against cyber threats.
How does cyber security training typically work?
Your standard awareness-based training program usually involves a series of educational sessions designed to inform employees about cybersecurity risks and best practices.
Here’s a breakdown of how traditional cybersecurity awareness training typically functions:
Scheduled training sessions: Organizations will usually schedule periodic training sessions where employees are required to attend workshops or webinars. These sessions cover a broad range of topics including password security, recognizing phishing attempts, safe internet practices, and data protection guidelines.
Assessment tests: Post-training assessments or quizzes are used to evaluate the understanding and retention of the information provided. Employees are tested on the key concepts and practices taught during the training sessions.
Policy acknowledgment: Employees might be required to sign acknowledgments or certifications confirming they have received, read, and understood the organization’s cybersecurity policies and training materials.
What are the limitations?
While traditional awareness training has been a standard approach for years now, it has several limitations that can impact its effectiveness in addressing modern cybersecurity threats.
Lack of engagement: Traditional training methods can be monotonous and fail to engage employees effectively. Employees often feel that it disrupts their regular workflow.
Infrequent training: Training sessions are often scheduled periodically, which means employee behavior doesn't change and the training sessions aren't up-to-date with the latest threats.
One-size-fits-all: Traditional training tends to follow a one-size-fits-all approach, providing the same content to all employees regardless of their specific roles, responsibilities, or levels of existing knowledge.
Reactive (rather than proactive): Traditional training often focuses on compliance and checking off mandatory training requirements rather than fostering a proactive security mindset.
Limited real-world application: Static and theoretical content does not always translate well to real-world situations. Employees may struggle to apply what they’ve learned when faced with actual cybersecurity threats, as traditional training often lacks practical, hands-on components.
No continuous reinforcement: Without continuous reinforcement and regular updates, the knowledge gained from traditional training can quickly become outdated. Cybersecurity threats evolve rapidly, and employees need ongoing education to stay current with the latest tactics and defenses.
Lack of personalization: Traditional training does not account for the varying levels of cybersecurity knowledge among employees.
Insufficient training leads to errors
Training that isn't up to scratch won't equip employees with the knowledge and skills needed to handle real-life situations.
Below are the key types of errors you'll likely see:
Skill-based errors: These will occur during routine activities when attention is diverted from a task. When a skill-based error happens, people generally have the right skills to correctly perform the task, but they fail to do so.
Example: An employee accustomed to handling numerous email attachments daily might accidentally open a malicious attachment while multitasking, leading to a malware infection.
Decision-based errors: These are what you'd typically call a mistake. A decision-based error occurs when we make the wrong judgment, but we believe that our call is the right action.
Example: A system administrator who is not fully versed in cybersecurity best practices might misconfigure a firewall, leaving the network vulnerable to attacks.
A decision-based error has two subtypes:
- Knowledge-based error: This means that the person does not have sufficient or correct knowledge to perform the right action.
- Rule-based error: When individuals follow the wrong set of rules or procedures, or apply the correct rules incorrectly.
Your training needs to keep up with social engineering techniques
Social engineering attacks can be pretty sophisticated.
Attackers will use human psychology and persuasion techniques to craft their campaigns to establish credibility and trust.
Modern cyber attacks rely on techniques like fear, trust and urgency.
This makes it easier to persuade employees to take action like giving away passwords, downloading malware, or making a bank transfer.
When employees are not conscious of social engineering techniques, attacks can easily slip through the net.
Implementing people-centered training that uses behavioral science is the single most effective means of reducing human risk.
This style of training will allow you to measure and put risk into context.
If employees are reporting threats, you know that they're actually learning.
And if employee behavior is improving, this likely means your organizational risk is being reduced as a result.
Traditional cyber awareness doesn't change behavior
Employees represent the biggest attack surface for most organizations.
And the more employees you have, the bigger that risk is going to be.
Traditional compliance-based cyber awareness training doesn't go far enough to prevent security breaches.
69% of employees say they have knowingly bypassed their company’s cybersecurity guidance.
And 74% would be willing to do so if it helped them accomplish a business goal.
Infrequent training once a year with no follow-up practice doesn't actually prepare employees to deal with real-life cyber threats.
If you want to reduce cyber risks related to employees, you'll need to make sure your training changes the way employees behave...
This is how you ensure employees can spot and respond to threats.
When we talk about behavior change, we just mean modifying human behavior.
Behavior is a computed response to stimuli (whether internal or external, conscious or subconscious, overt or covert, voluntary or involuntary).
For Security Teams, the behaviors that need to be trained are:
- Employees must be able to identify threats.
- Employees must be able to report threats.
You can't change behavior overnight - it takes time and practice.
That’s why yearly (or even quarterly) cyber awareness training and phishing simulations just don't cut it.
The more often the user can learn about and get hands-on practice with security threats, the better they'll be able to catch them in the wild.
Social engineering attacks are always evolving in sophistication and increasingly targeting employees.
This is why building a strong human firewall matters.
Awareness alone won't provide any meaningful protection...
You need a people-first cybersecurity training approach that can positively impact people’s behavior (and therefore organizational risk).
The problem with awareness training is that (as the name suggests) it only focuses on awareness.
And awareness doesn't tend to have any measurably impact on people's cybersecurity skills.
Most of what people learn from training will be forgotten and no habits will be formed.
Awareness training uses policies and strict rules (the do’s and don’ts).
When you put too much emphasis on following rules, employees are likely to perceive cybersecurity as something negative - another annoying bit of compliance disrupting their day-to-day work.
Building habits can be a long process that takes continuous reinforcement.
This is where phishing simulations come into play.
Without practice and experience, employees aren't going to be able to detect attacks.
People need to be motivated to engage with practical exercises so that your training will result in behavior change.
The science behind changing behavior
To successfully implement cyber awareness training that changes behavior, it’s essential to understand how people actually behave...
What motivates them? And how can you influence them?
Psychological influencing strategies integrated into awareness training will teach employees the right behavior online and diminishes high-risk behavior.
Training and persuasion techniques
Persuasion just means an attempt to change behavior without using coercion or deception.
The two main persuasion techniques for behavior change are:
- Influencing: using social and psychological techniques to persuade individuals to adopt desired behaviors
- Shaping: reinforcing incremental changes towards a desired behavior through rewards and feedback.
The mechanisms used in successful training
Using influence as a persuasion strategy in your cyber awareness training can be tricky.
Even when the advice comes from an expert, people aren't very likely to follow the rules.
This doesn't necessarily mean influencing can't be used in training at all.
It just means you'll need to use positive emotions.
Most cybersecurity playbooks rely on fear as a primary influencing technique.
But since fear is a negative emotion, it's very likely to result in resistance, rather than any meaningful behavior change.
To successfully change people’s behavior, cyber awareness training needs influence.
So, when developing your behavior-changing approach or shopping around for vendors, you might want to consider these factors:
The messenger: Who communicates the information? Information is usually well received when it comes from an authority.
Incentives: What incentives are you offering employees? (These don't necessarily have to be physical rewards).
Norms: The general culture and environment of your organization will directly impact how the employees perceive training matters. If others around them are positive towards cybersecurity, an employee is more likely to follow suit.
Salience: Training works best when relevant to employees. Personalized and relevant content will boost engagement.
Affect: Emotions play a major role in how people act. When people feel positive about training, they're more likely to engage with the practices.
Commitment: Most people will try to be consistent with public promises. If an employee makes a commitment to cyber awareness training, they'll be more likely to follow through.
Ego: Us humans will generally act in ways that make us feel good about ourselves. This is why recognition and reward are such useful tools for effective training.
So what features should you be looking for in a modern SAT solution?
Major factors of differentiation in cyber security training, can be linked to the following criteria: user experience, personalization, reporting metrics, behavior change, and automation.
Look for platforms that offer interactive training modules, simulated phishing campaigns, and comprehensive reporting metrics to track progress and measure success.
These criteria can help you assess your options in buying a human-first solution that can actually reduce risk in your organization.
Feature #1: User Experience
Employees don't like doing tasks that interrupt their normal workflow for a significant period of time.
Motivation is born when people actually enjoy an activity.
If training leaves employees feeling satisfied, they'll attach positive feelings towards it.
Great training will motivate people to follow the rules they’ve learned.
But when the rules hinder their work, they may well go out of the window.
This is why its important to only incentivize the right behavior but also remove barriers of motivation.
These might include:
- Complicated rules
- Heavy reading materials
- Unengaging classes and e-learning
- Training that’s too difficult or too easy
Too many blockers are likely to result in “security fatigue”.
This is when people stop caring about security.
And when enthusiasm for security is low, this is how breaches occur.
Training is usually mandatory, but you can incorporate interactive training into an employee's regular workflow without stopping productivity for hours at a time.
People have trouble focusing on content that is longer than 5-7 minutes, and you want to be respectful of your employee's time and utilize it efficiently to maximize learning.
Small teachable moments to show learners how to improve in the future based on their past behavior can be an effective method to train and communicate to employees about security awareness topics - whether it be identifying suspicious emails or staying safe on social media.
Tips to improve the employee experience:
- Short training moments
- Encourage user interaction for active learning
- Implement anti-phishing training that can be embedded in an employee's workflow (email client, work phone, laptop, etc.)
- Reward success for positive reinforcement
- Try different approaches
- Monitor user feedback (NPS rating of different vendors and qualitative feedback)
Gamification
Gamified cyber security training is one example of how you can make educationg personalized and more enjoyable for the user.
When assessing different vendors, consider the user experience carefully.
Your employees are going to be the ones using the training on a daily basis, and you want it to be relevant, minimally disruptive to their work, and easy to use.
Feature #2: Personalization
If employees don't feel like the training is relevant to them, then they will lose interest fast. .
Not every employee has the same level of cyber knowledge, and everyone has a different background when it comes to cybersecurity.
This is why training can't be administered in the same way to everyone.
Every employee will have a different level of cyber knowledge and skills.
Some will have done cyber awareness training in previous workplaces which will have molded their perceptions about security (for better or worse, depending on the quality of the training).
Compare a vendor's level of personalization applied in their cyber security training, in terms of employee's cyber knowledge (IQ), role, department, and language of training content
Personalizing training to individual employees isn't always easy.
But it is absolutely necessary if you want to see outcomes improve.
To influence people, you need to hone in on personal motivation and ability.
The first step towards forming new habits is overcoming negative feelings about cybersecurity and training.
A few things to consider when personalizing training:
Cyber knowledge
- Skill level
- Language
- Territory
- Department
- Role
- Co-workers
This will allow you to meet employees where they're at and tailor content to the tasks they carry out on a daily basis and the people they usually interact with.
Personalized learning paths
Personalized learning paths are a factor to consider in your vendor search for an effective solution.
If an employee keeps failing simulation exercises, you might need to take a step back and send out easier attacks for the employee to spot.
Once the employee sees that he or she can be successful, the employee will become more engaged, and you can start sending attacks that are more difficult.
If employees continuously fail, they will feel defeated and lose momentum and interest in the training.
Positivity is the key to engaging people and keeping them coming back for more!
Language
Another important level of personalization is the language of the security training content.
Make sure to ask prospective vendors whether their phishing awareness training program covers the local languages of your employees.
In case the vendor does not provide the language(s) that you need, you should always ask them whether they are planning to add it in the future.
Feature #3: Reporting & Measurement
Many organizations and vendors track the reporting rates of phishing simulations, but this metric needs to be considered carefully.
An organization may be using very simple simulated phishing campaigns or very difficult challenges, skewing results to one side of the bell curve or the other.
If everyone received the simulation at the same time, it is likely some employees working in an open office setting will also give their coworkers a hint not to click on the fake campaign.
This can lead to a false sense of security if your phishing emails are too easily spotted. Passing a few tests per year does not show your organization is prepared how to respond to sophisticated, modern phishing techniques.
Reporting rates and failure rates
Two of the main KPIs in phishing awareness training are reporting rates and failure rates.
When employees are engaged in training, reporting rates of simulation exercises will increase.
If your training is focussed on behavior change, then reporting rate is going to be your key metric.
This will tell you how many people engaged with training.
Your overall goal should be to engage as much of your organization as you can so that you can be confident they're developing the skills through recognizing and reporting simulations.
Keep an eye on:
- Average simulation reporting rate per employee: Make sure your training is reaching all employees not just those who fail simulations. At Hoxhunt, we advise our clients to aim for at least an average 70% reporting rate.
- Real threat reporting rate: The whole purpose of training is to help employees identify real-world phishing attacks. This'll also give you more data on what real threats are coming your way.
- Dwell time: This is the period between a threat entering your network and it being reported. Most platforms don't track this metric, but if you find a solution that does (like Hoxhunt) its worth keeping tabs on to give you an idea of how much damage an attack could actually do.
While failure rates might tell you something about people’s learning, its not the best metric for gauging your success.
Failure rates of different vector types can also highlight areas where employees may need additional training in the future, and the progression and decline of failure rates can show the success of training over time.
However a low failure rate doesn't necessarily mean your training is working.
Your failure rate might depend on things like the difficulty level of simulations, the variety of the content, individual points of view, timing and frequency.
Most likely the reporting rates of real-world threats will increase as well.
This will give security teams increased visibility into the phishing attacks the company is receiving and allow them to react faster.
Feature #4: Behavior change
Behavior change can work for any company.
If you already have cyber awareness and compliance-based training in place, you'll need to go a step further.
One of the main pillars of behavior change is reinforcement, and continuous reinforcement and repetition will transform your behavior into a habit.
In cybersecurity awareness training, the behavior change that the employer wants is to teach employees how to react appropriately every time they receive potentially malicious emails or other content.
The other objective is for employees to understand why reporting threats is important to the organization.
Positive reinforcement
Positive reinforcement is a critical component of the shaping technique.
Simply put, you need to have a desirable stimulus once someone performs a behavior if you want them to repeat that behavior.
Shaping is best applied to training when employees receive recognition and feedback.
Positive reinforcement can include:
- Awards
- Rewards
- Scores
- Competition
- Leaderboard
- Recognition
- Feedback
- Note: Hoxhunt fuses all these positive reinforcement tools into training to keep employees engaged and coming back for more.
Employees can learn from additional training moments following any phishing simulations you're running - what they did right? What where the clues?
They should then be more motivated to report a threat next time.
Positive reinforcement is such an effective long-term strategy because we find it easier to remember learnings when we associate them with positive feelings.
When you're managing something that can have catastrophic consequences if mismanaged like cybersecurity, completely removing negativity may seem like a tough thing to do.
However, you should not punish employees for the wrong behavior.
Sticking to positive reinforcement is far more effective for improving security culture and employee cooperation.
Research has proven that workplaces need to consciously overcome a habit of trying to scare people into action and highlight when employees do the right thing or reach their goal with a reward or positive feedback.
Punishment (very) rarely ever helps change behavior.
Instead, employees will be defensive, secretive, or uncooperative.
To be able to see what kind of threats are coming in, you need people to actually come forward and report them.
And if employees fear criticism, nothing will be reported.
Employees need to know that it’s safe to come forward when they’ve made an error.
When employees report simulated phishing attacks correctly, and then they are given positive feedback, they will be more likely to report real actual phishing threats that hit their inbox in the future.
This is the whole point of regular training.
Frequent and continuous training
Another key component to behavior change is the frequency of training.
A few simulations a year are unlikely to make any real difference.
Most people don't retain much from the occasional training session.
Infrequent tests certainly won’t shape the adoption of the right cybersecurity habit of staying alert and reporting anything suspicious.
So if you're running simulations, make sure they're being sent out frequently.
Building habits through shaping takes time.
Which is why at Hoxhunt, we aim to send users at least 36 simulations a year.
That’s one every ten days.
When choosing a vendor, keep an eye out for the quantity of phishing simulations promised per employee on an annual basis.
Together, positive reinforcement and frequent training are key traits that improve employee satisfaction with training.
They also help shift the perception of cybersecurity to a more positive culture of awareness in the organization, that everyone participates in.
Feature #5: Automation
Automation is a key driver in productivity improvements and cost savings, and every security team should consider the impact automation could have on their operations and determine what level of automation is best for them.
Different vendors offer different ways of automating various components of their security training program, but the two biggest benefits from automation in phishing training is the automated delivery of personalized, frequent training, and the automation of potential threat identification, classification, and escalation.
More personalized training moments
Many organizations develop phishing campaigns for their employees manually, which can be very costly and time consuming, especially if the security team does research to make sure the their content and simulations are up to date with the latest real-world phishing attacks.
Choosing a vendor that regularly updates their content to include the latest types of phishing attacks and themes can be a big timesaver.
Additionally, choosing a vendor that automatically delivers simulated attacks means you'll get to send up to 36-48 personalized emails per employee each year.
This level of practice contributes greatly to consistent, effective learning and forming healthy security behaviors.
Remediation time savings
As a security awareness administrator, you want your employees to stay vigilant and report any emails that look suspicious.
But when they do, the security operations team is tasked with reviewing and handling those reports.
Finding a security training vendor that can automate the tasks of threat identification, classification, and escalation means you can continue encouraging healthy security behaviors without creating more work for your team.
Feature #6: Real-world impact
Cyber risk doesn’t stop at training, so neither can the metrics. The ideal outcome of a phishing attack is a threat report because it removes the danger from the system and accelerates SOC response. Thus, it’s crucial to track how people recognize and report real threats, too.
The Hoxhunt phishing awareness platform allows users to report real threats—and be rewarded for their threat detection–the same way that they're taught to in training. In-the-moment feedback and gamified rewards can be provided to users when they report a real suspicious email, which reinforces threat detection skills and lightens the threat analysis load for security teams, who need only deal with the highest priority threats and incidents.
All modern phishing platforms should be purposefully designed to extend and connect training to measurable real threat detection outcomes, in terms of dwell time, accuracy, and volume.
Feature #7: Realistic simulations
Practice makes perfect.
Without consistent practice, employees won’t have the skills of confidence to spot and report real cyber breaches that manage to slip through your email filters.
This is why using phishing simulations are so crucial.
By mimicking real threats in a controlled environment, you can prepare employees for facing the real thing.
Here at Hoxhunt, we believe that the only way to foster secure behavior is by learning by doing it.
So make sure you're running some form of simulations to give employees hand-on experience catching them.
Keep your attack simulations updated
New types of attacks are always emerging.
Some current cybersecurity threats are well-crafted and hard to spot - preying on people’s emotions.
Regularly updating your attack simulations will ensure that employees get a feel for the latest threats.
Simplify your reporting process
Your reporting process should be as easy and effortless as you can possibly make it.
Teaching employees how to spot threats is one thing...
But even when people know they should report a threat, if the process is complicated they're highly unlikely to do so.
With Hoxhunt, people can use our reporting plugin for reporting simulations and actual phishing emails. (It’s just a click of a button and only takes a few seconds).
How to research your vendors
When searching for any security vendor, it is important to do some research, not only on the vendor's website, but also to read up on thoughts from peers and community members.
We suggest looking at trusted review websites, such as G2.com Gartner , which shows unbiased user reviews on satisfaction with different products and software.
Enterprise G2 Grid® for Security Awareness Training Software
Questions to ask prospective vendors
Before you meet with potential vendors, it’s good to create a list of questions that matter for you. It will help you compare vendors upon the same criteria and have all the answers you need to make a decision. We gathered the most frequently asked questions to help you brainstorm.
User experience
1. How do you encourage employees to participate in the training?
2. How much time does the training take out of an employee’s regular work week?
Personalization
3. What language options do you have for delivering training content and support?
4. What happens when an employee fails a phishing simulation once or multiple times?
5. Does everyone receive the same training at the same time or is training personalized in any way to employees?
6. How often is the training content updated? Is content updated in each language regularly?
Reporting Metrics
7. What type of progression can you expect to see after 1 month of training, 6 months, and 1 year (reporting rates, participation rates, etc.)?
8. What KPIs do you measure? What are the reporting capabilities?
Behavior Change
9. How frequent do you send simulations per year to each employee or how frequent do you recommend (for solutions that offer templates)?
Automation
10. About how many manual hours would be required from our security team to send out a campaign for X number of employees? (100, 10,000 or 20,000)
11. Where does malicious content (email phishing attacks) go once it has been reported by an employee?
Implementation of Training and Technical Capabilities
12. What are the steps of the onboarding process?
13. Do I receive any help with communication before the roll out of the new phishing training?
14. Do you have threat reporting tools?
15. Can the training be integrated with other tools? e.g. Microsoft ATP?
16. Does it work on all devices? Which devices? Which email clients?
17. How does the pricing work? Do you pay for each element of training separately or is it a cost per employee?
Why is an adaptive security training platform better than legacy tools?
Adaptive phishing platforms get much better results because phishing simulations are personalized to every individual and delivered automatically at the right time and frequency.
Hoxhunt, for example, leverages AI to automate the entire phishing training lifecycle, so security teams can personalize their employee cyber security training at scale with fewer resources.
Personalized learning paths
Adaptive platforms analyze individual user behavior and tailor training content based on each user's performance.
Employees who struggle with specific threats receive more focused training, ensuring they address their particular vulnerabilities.
Real-time adjustments
Unlike static legacy tools, adaptive platforms continuously adjust the training difficulty and content in real-time.
This ensures that the training remains relevant as users improve or as new threats emerge.
Engagement and retention
Personalized and relevant training content increases user engagement and information retention, leading to more effective learning outcomes compared to generic, one-size-fits-all training modules.
Automated feedback and reporting
Adaptive platforms provide immediate feedback after each interaction, allowing users to learn from mistakes instantly.
Automated reporting also allows admins to monitor progress and compliance without any fuss.
Continuous updates
Adaptive systems are frequently updated to incorporate the latest threat intelligence, ensuring that training content remains aligned with the most current cybersecurity risks, unlike legacy tools that may quickly become outdated.
How we evolved from awareness to real behavior change at Hoxhunt
At Hoxhunt, we’ve moved away from traditional security awareness training.
Instead, we focus on reducing human risk through behavior change.
If the end goal is to protect your organization from cyber security threats, why waste time and budget on inefficient awareness and compliance strategies?
After a year of using Hoxhunt, 60% of users actively report real and simulated threats.
The fastest 10% of them report a threat in 55 seconds. (Hoxhunt internal data, 2023)
Focussing on the metrics that matter
Don’t just take our word for it.
The AES Corporation recently compared Hoxhunt to three major security awareness tools - the numbers speak for themselves.
We see you, users who ignore phishing training!
All of this combined made them 2533% more resilient as a company.
Last year, Finland’s biggest telecom company Elisa ran a benchmark study showing that employees who had undergone Hoxhunt training were 20 times less likely to click malicious links.
We believe that real, measurable behavior change is the key to cybersecurity and human risk management.
Industry analysts agree, with Gartner stating: “By 2030, all widely adopted cybersecurity control frameworks will focus on measurable behavior change rather than compliance-based training as the critical measure of efficacy for human risk management.”
Employee cyber security training FAQ
What is employee security awareness training?
Employee security awareness training educates employees on identifying and mitigating cybersecurity threats, such as phishing scams and insider threats.
This training is vital for reducing human error and enhancing overall security.
Why is cybersecurity awareness Important?
Cybersecurity awareness helps create a culture of security awareness within your organization, making employees aware of the risks and teaching them to recognize and respond to potential threats on company devices and networks.
But beware: awareness alone won't impact employee behavior without simulations and frequent practice.
How do training courses address phishing Scams?
Many training courses use a phishing simulator to provide real-life examples of phishing scams.
These simulations help employees practice identifying phishing attempts, significantly reducing the company’s susceptibility to these attacks.
How is the effectiveness of training measured?
Effectiveness is measured through detailed reporting on completion rates, incident response times, and reporting rates of both real and simulated threats.
How does training help with compliance?
Cyber security training is integral to meeting regulatory requirements.
By providing industry-specific modules and maintaining a comprehensive dashboard to track progress, organizations can ensure adherence to federal and industry standards.