Security awareness

Pros & cons of using an LMS for security awareness & training

February 25, 2020 by Tyler Schultz

Can you use your learning management system to deliver employee security awareness and training? We get this question a lot. The short answer is, with the right security awareness and training partner, yes you can. The long answer is, it depends on your organization’s training goals, what metrics you need to track and the integrations and capabilities available in your LMS.

The truth is, your learning management system can certainly help you deliver computer-based security training to employees. The problem is, most learning management systems lack several key elements that enable you to educate and inspire your workforce to adopt secure habits. While your LMS may help you check a compliance checkbox, it isn’t the best tool for actually keeping your employees and organization secure.

In this post, we’ll cover the pros and cons of running a security awareness and training program from your LMS as opposed to a dedicated security awareness and training platform. Is using an LMS for security awareness and training your only option? We’ve got you covered. We’ll also cover several tips for getting the most out of your employee security awareness program if you need to use your LMS.

Want to see the Infosec IQ security awareness and training platform in action?

Request a Demo

3 benefits of using your LMS for security awareness & training

Running your security awareness and training program from your LMS has three major benefits.

1. Single platform for all employee training

Delivering security awareness and training from an LMS is convenient for organizations that already use an LMS to deliver new hire orientation, professional development courses, compliance training and more. This not only allows you to use an existing system, but it also simplifies learner management.

2. Consistent tracking and reporting across all internal education

Using an LMS to deliver security awareness and training also standardizes tracking and reporting for all internal training. This gives organizations familiar metrics to track performance across all departments.

3. Consistent training experience for employees

Learners may also benefit from taking all internal training from a single, familiar portal — regardless of topic or curriculum.

Using an LMS for security awareness and training looks like an attractive option because of its apparent business efficiencies. Although these business efficiencies create benefits for administrators, they aren’t designed to help you change employee security behavior. Running a security awareness program from an LMS can create inefficiencies in the most important part of your program — employee education.

6 challenges of using your LMS for security awareness & training

Running your security awareness and training program from your LMS has six major challenges.

1. No phishing simulations

Simulated phishing is a core element of every security awareness and training program. Phishing simulations and in-the-moment training have proven to significantly improve your employees’ abilities to detect and report suspicious emails. Using an LMS to deliver employee security training requires an organization to use a separate platform to deliver phishing simulations, which eliminates the ease of using an LMS and creates additional challenges listed below.

2. Separate training and simulated phishing data

One of the major challenges of using both an LMS and a phishing simulation platform is the separation of learner data. Security awareness and training platforms like Infosec IQ track behavior and risk scores for each learner, allowing program managers to automatically tailor training for each employee based on their training, assessment and phishing performance. Maintaining learner training data on two separate platforms hurts your ability to deliver the most effective training experience to each employee.

learner grade

3. No pre-built assessments

Although most learning management systems include assessments, they don’t typically include assessments built for employee security training. Using an LMS requires program administrators to either develop their own assessment criteria or import assessments from a security training solution. Furthermore, leading security awareness platforms such as Infosec IQ include adaptive assessments built to measure employee understanding of the core cybersecurity topics recommended by NIST. While an LMS can generate assessment scores, they are not equipped to measure an employee’s or organization’s risk profile.

4. Out-of-context reporting

Not only does using an LMS limit learner tracking and training personalization, it also restricts the reporting capabilities of the security awareness and training platform. Solutions like Infosec IQ include industry benchmarks and training data organized by NIST-recommended topics. This enables program managers to track organization-level progress and trends over time while comparing performance to industry averages.

5. Complicated training content management

While security awareness and training platforms like Infosec IQ come loaded with training modules, assessments and reinforcement tools, training managers need to upload and update training content in learning management systems. Although this can be done with SCORM-compliant training modules, static SCORM files must be manually replaced when training modules are updated with new material.

6. Campaign inefficiencies

Unlike new hire orientation or mandatory compliance training delivered from an LMS, security awareness and training needs to be consistently delivered throughout the year to inspire lasting behavior change and prepare your workforce for changing threats. For this reason, security awareness and training platforms come with campaign tools, notifications, dynamic learner groups and more to deliver sophisticated training campaigns with ease. Using an LMS to run your security awareness and training program forfeits the campaign features and automation tools that make a security awareness program successful and easy to manage.

What if a dedicated security awareness & training platform isn’t an option?

In nearly every case, security awareness and training programs are more effective when delivered from a comprehensive training and phishing simulation platform. However, we understand that it isn’t always possible for every organization. If you need to run security awareness and training from your LMS, be sure to work with a vendor with these three features.

SCORM as a Service

Unlike static SCORM files, SCORM as a Service training modules stream directly from a security awareness and training platform to ensure your LMS delivers each training module’s most recent version.

Large and diverse content library

The saying “content is king” rings true for any security awareness and training program. But if your training program is limited by your LMS’s capabilities, it’s even more important to utilize the most engaging training content available. This includes entertaining training series, themed reinforcement tools such as posters, infographics and digital banners and a communication plan to tie together your training assets and keep your employees engaged throughout the year.

Large question and assessment library

If you’re using your LMS for security awareness and training, it’s also important to choose a training partner with an extensive question and assessment library, which can be loaded into your LMS. This will help you measure employee retention and tie assessments to your training curriculum.

Ready to take the next step?

Whether you plan on using an LMS for security awareness and training or using a dedicated training and phishing simulation platform, we can help. Demo the Infosec IQ security awareness platform today to learn how we can help tailor your training and phishing simulation program to your organization’s needs.

Request a Demo
Posted: February 25, 2020
Articles Author
Tyler Schultz
View Profile

Tyler Schultz is a marketing professional with over seven years of experience delivering SaaS solutions to organizations of all sizes. As a product marketing manager at Infosec, he is dedicated to helping organizations build strong cybersecurity cultures and meet their security awareness goals. He helps the Infosec team push the boundaries of effective and engaging security awareness training with a focus on experiential learning, gamification, microlearning and in-the-moment training. Tyler is a UW-Madison and UW-Whitewater graduate and Certified Security Awareness Practitioner (CSAP).