Security breaches have grave consequences for organizations. In 2015, the average  cost of corporate data breaches increased by 15% compared to the previous year, reaching $3.5 million. For some organizations, breaches can additionally lead to undesired downtimes (there was a downtime greater than 8 hours for 31% of the organizations breached) and each data record that is lost or stolen and of confidential or sensitive nature cost an average of $145 to the organization.

Thus, it should be evident that security awareness must not be taken lightly by organizations as it can actually reduce the costs of running a business by mitigating possible losses from cyberattacks.

Is Security Awareness Important?

The European Network and Information Security Agency stipulates that the awareness of risks and safeguards is the first line of defense in securing information systems and, therefore, reaffirms the importance of security awareness. Organizations should realize that no matter how much money they invest in intrusion detection, it would not actually help if the workforce is clicking on simple phishing emails.

50% of Internet users receive at least one phishing email a day. More alarmingly, 97% of the people in the world cannot identify a phishing email and one in 25 actually clicks on such emails. This leaves no doubt that security awareness should be treated as something important.

SC Magazine Poll asked its readers if they think employee security awareness training is useful and 88.07% answered positively.

According to the results of the 2014 US State of Cybercrime Survey, around 42% of respondents asserted that the security awareness training of new employees helped to deter attacks. Financially speaking, the same report also showed that those companies with security in mind and conducted security awareness training for employees had an average financial loss of $162,000 while companies without training reported an average of $683,000. Thus, security awareness does have a tangible, positive impact on organizations. However, this does not mean they should simply rely on employees avoiding the threats. A multi-layered approach needs to be in place.

Around 53% of companies have some form of security awareness training in place. Insider attacks are regarded as the most dangerous and they often emanate from a non-malicious, uninformed employee. Without security awareness, such these employees can browse websites with malware, open and click on phishing emails, store their login credentials under their desk, give information to malicious third-parties in a social engineering attack and so on.

Nonetheless, how security training is carried out and the topics covered are important, as sometimes security awareness does not provide fruitful results, from which come the anti-awareness movements. For example, 80% of more than 400 West Point cadets still clicked on a phishing link even after having been subjected to a four hour security awareness training.

58% of companies worldwide had a security strategy in 2016, 52% had security standards for interaction with third-parties and 49% conducted security threat assessments.

There are both insider and outsider threats to organizations. The SANS 2015 Survey on Insider Threats revealed that 74% of CISOs are concerned about employees stealing information from their organization. A PwC survey in 2015 revealed that 34% of attacks worldwide were conducted by current employees while another 28% were conducted by former ones. 72% of security incidents at financial services organizations actually involved either a current or former employee.

More importantly, 50% of CEOs did not feel prepared for a cyber attack in 2015 which further proves the importance of security awareness.

In 2016, 37.2% of US organizations had a Botnet grade of B or lower, which means they are in a higher likelihood of encountering a publicly disclosed data breach, while 54.8% of organizations had a Sender Policy Framework (SPF) grade of C or lower, which means many organizations are likely to experience spoofing emails. 99% of Internet users are vulnerable to exploit kits while education was the cause for 6.6% of all security incidents in 2015.

Mobile devices were considered the weakest IT security link according to the 2015 Cyberthreat Defense Report and 58% of Internet users operate 3 or 4 devices on a daily basis. 59% of the respondents in the report asserted that mobile threats increased in the past year. Therefore, security awareness needs to be a regular phenomenon as new threats emerge.

In essence, we can conclude that security awareness is important and can make a change in an organization, if done properly and treated as an ongoing endeavor.

The Benefits of Security Awareness

One proof of the value of security awareness is the KnowBe4 Internet Security Awareness Training (ISAT)’s 4-week program, which did a case study on three companies. They found out that around 26% to 45% of the employees of the chosen companies were susceptible to phishing. With the security awareness program, that percentage decreased by 75%.

According to Rob Kraus, random security training in organizations results in a 10-15% reduction on the likelihood of a successful attack and consistency in training and estimating its effectiveness is needed to reach a 40-50% reduction. As evident, he clearly points out that 100% reduction of successful attacks is impossible.

Integrity Technology Solutions asserts that security awareness results in a more confident staff as they will be better acquainted with the world of technology, the wilderness and dangers that reside within it. Being informed enhances the work culture, saves money in the form of less data breaches, saves time that would have been spent mitigating damages from attacks and creates better security in general.

Another study in a Fortune 50 organization led to 35% of the organization’s employees, who were subjected to a simulated phishing attack, to fall for it. Then, they were given feedback, additional training was provided and after a follow-up, only 6% were tricked, which winds up to an 84% decrease in susceptibility to the threat.

Effectiveness of Security Awareness Training Variations

Each solution has its merits, although most organizations rely on a combination of methods to carry out their security awareness programs (http://csrc.nist.gov/organizations/fissea/2012-conference/presentations/fissea-conference-2012_quagliata.pdf). Organizations that use a combination of methods to achieve security awareness typically have employees which strongly agree that their organization secures their data properly. Furthermore, the fewer times security awareness trainings are carried out, the more likely the impression that the organization is not maintaining good security. Organizations which carried out security awareness programs every year had employees regarding the organization as secure.

Therefore, an effective security awareness training must be taken at least once a year and use a combination of web-based methods, classroom-based methods, visual aids and hints.

Typically, employees in larger organizations receive a combinative method of training. 45% of employees participating in an EMA research study were a part of online interactive training, 47% were a part of non-interactive training and 41% were part of a traditional classroom-based solution (involving a lecturer/speaker). The research showed that the traditional classroom-based solution is losing popularity, as it was the most popular solution in the past.

Web-based solutions

There are multiple ways to approach security awareness training. For example, an experiment in 2008 with a web-based security awareness training in which information packages were shown on the left, while a security chatbot which could answer questions regarding security was displayed on the right, revealed that 70% of the participants in the experiment found the chatbot a useful way to learn about security awareness, with over 70% asserting that it had a positive effect on their learning experience.

The Customs-Trade Partnership against terrorism explicitly states that web-based training which automatically notifies employees and includes webinars, graded tests, supervisor notification and warehousing of training records is a recognized best practice in the field of security awareness training.

Yeo & Yeo Computer Consulting (2016) assert that statistics show that the combination of web-based training and frequently simulated phishing attacks actually works and manages to turn employees in the first firewall of any organization. They aggregated the numbers and through such a training, the overall Phish-prone percentage dropped from 15.9% to 1.2% in a year. Web-based training is also less disruptive to employees and their productivity as they can work through content from an arbitrary location at their convenience and at their own pace.

Classroom-based solutions

Relying on a classroom can be beneficial because someone can answer questions straight away due to the classroom’s inherent interactivity. It is a widely used method, though the training time depends on the material that needs to be discussed and on the effectiveness over the audience.

Besides those two methods, there are other helpful solutions such as presenting helpful hints to users at times (such as notes, emails) and by using visual aids. The University of Michigan launched a successful visual aid to help students keep their accounts safe by comparing their passwords with underwear – there is a need to change it often, and not leave it lying around or share it with friends.

Wombat Security Technologies CEO Joe Ferrara asserts that videos and classroom-based security awareness trainings which do not engage the participants are doomed to fail from their launch. It does not scale as good as online training and is more disruptive to the employees’ productivity.

What is effective or not in security awareness training?

Dan Lohrmann, writing for CSOOnline.com, researched the field of security awareness and came up with a set of guidelines for effective security awareness programs. Apparently, the status quo (what worked in the past) needs to be constantly revised as security awareness programs that do not change lose their effectiveness. Videos or PowerPoint presentations as the main education path are also insufficient. Treating security awareness like a simple box that needs to be ticked is also erroneous.

Effective security awareness programs, he claims, need to be fun, supported by the executive and management, focused on changing the behavior of employees, interactive (in the sense of requiring users’ feedback and ideas) and diverse (in the sense that they should penetrate the entirety of the company with things such as newsletters, posters, email tips and other communications on a regular basis).

Recipients of the security awareness program need to be exposed to the same message repeatedly so the awareness program needs to be sustainable, repeatable and long-term. Voluntary subjection to security awareness programs appears to have little effect on perceived security effectiveness, so the training ought not to be voluntary in nature.

The effectiveness of the security awareness program needs to be measured. Security is not a destination but a process; yet progress needs to be measured. 48% of the respondents of the EMA research study stated that their organization measured the effectiveness of the security awareness program; while 18% were certain that it was not measured and 34% did not have any idea whether progress was measured.

Unfortunately, 62% of organizations measured effectiveness by training completion which is mere attendance and 55% used testing that occurred at the end of the session while they should be collecting metrics from employee behavior and testing.

Security Awareness

Is security awareness widespread?

71% of companies were subjected to a successful cyberattack but only 52% of them expected to be attacked again in 2015. Security incidents are on the rise: in healthcare they rose by 60%, in the automotive industry they rose by 32% reportedly, and so on.

Small businesses (those with less than 100 workers) are the ones typically responsible for the majority of the untrained personnel. Enterprises that have between 10,000 and 20,000 employees have only around 8% of untrained employees.

Furthermore, 63% of businesses do not have a fully mature way to track and control the flow of their sensitive data while 59% of employees steal proprietary data when they quit or when they are fired.

Therefore, we can conclude that more security awareness is needed.

References

https://www.netiq.com/communities/cool-solutions/netiq-views/84-fascinating-it-security-statistics/

https://en.wikipedia.org/wiki/Security_awareness

http://www.darkreading.com/operations/careers-and-people/is-security-awareness-training-really-worth-it/d/d-id/1317573

https://www.sans.org/reading-room/whitepapers/awareness/importance-security-awareness-training-33013

https://www.knowbe4.com/press/security-awareness-training-reduces-phishing-susceptibility-by-75

https://www.scmagazine.com/security-awareness-training/slideshow/3390/#1

http://www.deertech.com/e-news/march2013_1.html

https://www.solutionary.com/resource-center/blog/2016/10/the-culture-of-security-awareness-and-corporate-benefits/

http://blog.integrityts.com/5-benefits-of-security-awareness-training

http://www.securityweek.com/security-awareness-training-debate-does-it-make-difference

http://blog.commlabindia.com/elearning-design/information-security-awareness-training

http://www.ifip.org/wcce2009/proceedings/papers/WISE6_Kowalski.pdf

http://csrc.nist.gov/organizations/fissea/2012-conference/presentations/fissea-conference-2012_quagliata.pdf

http://www.welivesecurity.com/2012/10/10/study-finds-90-percent-have-no-recent-cybersecurity-training/

http://sdr-uk.com/statistics-security-awareness-within-healthcare-industry/

https://info.wombatsecurity.com/hs-fs/hub/372792/file-1842832356-pdf/EMA_Wombat-

https://www.netiq.com/communities/cool-solutions/netiq-views/84-fascinating-it-security-statistics/

http://www.infosec-cloud.com/security-awareness-training-the-numbers/

http://www.marketingcyber.com/2016-cybersecurity-statistics/

https://www.bitsighttech.com/blog/data-breach-statistics

https://securingthehuman.sans.org/resources/metrics

http://www.gore.com/MungoBlobs/352/663/C-TPAT%20Security%20Awareness.pdf

http://www.yeoandyeo-consulting.com/news/security-awareness-training

http://www.csoonline.com/article/2987822/data-protection/does-security-awareness-training-even-work.html

https://www.rapid7.com/fundamentals/security-awareness-training/

Be Safe

Section Guide

Ivan
Dimov

View more articles from Ivan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ivan
Dimov

View more articles from Ivan