Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Jan 31 Live Webinar | How to Keep Socially Engineered Attacks From Sneaking Into Email | Save Your Seat →

Customer Stories, Integrated Cloud Email Security

Cybersecurity Awareness Should Be People-Centric, Too

Friday, March 13th, 2020

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

The first speaker at Tessian Human Layer Security Summit on March 5 was Mark Lodgson, Head of Cyber Assurance and Oversight at Prudential

He started his presentation by citing three fundamental flaws in cybersecurity awareness training:

  1. It’s boring
  2. It’s often irrelevant 
  3. It’s expensive 
“We knock out CBT (computer-based training) for 20 minutes, put a test at the end of it, and we expect ‘Johnny’ to be grateful for having spent that time in the training and to have been thoroughly entertained.”
Mark Logsdon Head of Cyber Assurance and Oversight, Prudential

So, should we do away with it entirely? Not quite.

Cybersecurity training is a necessary evil

Cybersecurity professionals who implement training programs and employees who take part in these training programs can no doubt attest that the three flaws Mark mentioned are an unfortunate reality. 

But, what’s the solution? Training is, after all, a necessity. Without it, employees would rely entirely on often small and overworked IT and cybersecurity teams to prevent incidents and mitigate the consequences afterward. 

That’s not just a tall order; it’s completely unfeasible, especially when human error is the most prevalent cause of data breaches. That means every individual must be held accountable. 

By educating employees about data privacy laws, password best practices, and how to spot phishing scams, cybersecurity becomes the collective responsibility of the organization, not just those who have a relevant title.

With that said, Mark isn’t suggesting that organizations do away with cybersecurity awareness training. Instead, he’s saying that in order for it to be effective, it needs to be aligned to the individual business. 

To do that, you have to get to know the business, the people in it, and their attitudes towards security. And, according to Mark, the best indicator of future behavior is confidence.

The cybersecurity culture survey

“A survey respondent who answers a question incorrectly with 100% confidence is just as likely to make a mistake as a survey respondent who answers a question correctly with less than 100% confidence.”

Influenced by the work of Phillip Tetlock, Mark created a survey with predictive power. But, unlike your average survey that simply gauges knowledge, this survey gauges confidence.

 Importantly, the survey focused on five key competencies:

  1. Business focus
  2. Cyber risk assessment
  3. Policy and best practice
  4. Cybersecurity advocacy
  5. Personal practice

The thought process is simple: a survey respondent who answers a question incorrectly with 100% confidence is just as likely to make a mistake as a survey respondent who answers a question correctly with less than 100% confidence. Both responses signal the potential for equally risky behaviors.

Beyond that, though, the responses – either correct or incorrect – represent an area that requires targeted training and intervention.

How can you apply this to your cybersecurity strategy?

While Mark shared the results of the survey he conducted (which you can see by watching the full presentation on our YouTube channel) his findings won’t help cybersecurity professionals fine-tune their own training.

The key here is that awareness training needs to be customized. 

Without gauging not just the knowledge but the confidence of your employees, you’re essentially blind to the cybersecurity risks within your organization. And, of course, your efforts run the risk of being deemed “boring”, “irrelevant”, and “expensive” with no tangible upside.

For more insights garnered from Tessian Human Layer Security Summit, click here