The first speaker at Tessian Human Layer Security Summit on March 5 was Mark Lodgson, Head of Cyber Assurance and Oversight at Prudential.
He started his presentation by citing three fundamental flaws in cybersecurity awareness training:
So, should we do away with it entirely? Not quite.
Cybersecurity professionals who implement training programs and employees who take part in these training programs can no doubt attest that the three flaws Mark mentioned are an unfortunate reality.
But, what’s the solution? Training is, after all, a necessity. Without it, employees would rely entirely on often small and overworked IT and cybersecurity teams to prevent incidents and mitigate the consequences afterward.
That’s not just a tall order; it’s completely unfeasible, especially when human error is the most prevalent cause of data breaches. That means every individual must be held accountable.
By educating employees about data privacy laws, password best practices, and how to spot phishing scams, cybersecurity becomes the collective responsibility of the organization, not just those who have a relevant title.
With that said, Mark isn’t suggesting that organizations do away with cybersecurity awareness training. Instead, he’s saying that in order for it to be effective, it needs to be aligned to the individual business.
To do that, you have to get to know the business, the people in it, and their attitudes towards security. And, according to Mark, the best indicator of future behavior is confidence.
Influenced by the work of Phillip Tetlock, Mark created a survey with predictive power. But, unlike your average survey that simply gauges knowledge, this survey gauges confidence.
Importantly, the survey focused on five key competencies:
The thought process is simple: a survey respondent who answers a question incorrectly with 100% confidence is just as likely to make a mistake as a survey respondent who answers a question correctly with less than 100% confidence. Both responses signal the potential for equally risky behaviors.
Beyond that, though, the responses – either correct or incorrect – represent an area that requires targeted training and intervention.
While Mark shared the results of the survey he conducted (which you can see by watching the full presentation on our YouTube channel) his findings won’t help cybersecurity professionals fine-tune their own training.
The key here is that awareness training needs to be customized.
Without gauging not just the knowledge but the confidence of your employees, you’re essentially blind to the cybersecurity risks within your organization. And, of course, your efforts run the risk of being deemed “boring”, “irrelevant”, and “expensive” with no tangible upside.
For more insights garnered from Tessian Human Layer Security Summit, click here.