In 2024, human error continues to be the number one cause of data breaches, leaks and compliance fines in the enterprise. Despite organizations consistently investing in cybersecurity awareness training, something is going amiss: employees aren’t learning.
For CISOs and their teams, the fallout of ineffective training programs can be severe. Many training initiatives are expensive, and wasted investments (especially those that lead to costly, reputation-damaging data breaches) are extremely frowned upon by C-level executives.
Here, we’ll explore why security training programs often fail, and explain how AI-driven nudges can elevate cybersecurity awareness program success.
Is your cybersecurity awareness training program broken?
In our experience, cybersecurity awareness programs fail for at least one of several reasons. These are as follows:
- Tick-the-box exercise: Training programs are designed to educate employees on the crucial role they play in safeguarding organizations from threat actors. However, too often, companies merely treat training as a tick-box exercise, aimed at satisfying regulators and suppliers. This means little thought or care is put into the training. Companies simply want to “get it over with”, which leads us onto the next issue.
- Uninspiring: Many training programs are, frankly, dull: too long, outdated, and mundane. All of this means that employees zone out instead of leaning in to learn. In line with this, Microsoft research shows that video-based training only reduces risky security behaviors by 3%.
- One for all: The people in your organization have different roles, different system permissions and different responsibilities. And yet, more often than not, cybersecurity training lacks any personalization. Without context, training fails to be relevant to employees at different levels of the company.
- Phishing-led: Many organizations place the emphasis on phishing training. While phishing is a significant threat to organizations, it is certainly not the only one. In fact, threats like accidental data leakage and cloud misconfigurations lead to more security incidents on average. If your training program only educates employees on a handful of threats, they’ll be unequipped to prevent breaches in their day to day jobs.
- No follow up: Traditional training programs steal employees away from their actual work. For companies that employ people with high billable hourly rates, this spells trouble for everyone. Because of that, training is often limited to a yearly or quarterly event, with little attention given to cybersecurity awareness outside of this time. The problem is that only 10% of employees remember training after a one-off session, according to Harvard Business Review. To be effective, companies need to be more consistent and regular with their training efforts.
Clearly, impersonal cybersecurity awareness training efforts don’t yield results. Still, companies don’t want training to infringe on the time employees should spend doing their jobs.
Thankfully, it doesn’t have to. With the advent of artificial intelligence (AI), there’s a new type of security awareness training available: one that delivers real-time education to employees in their everyday workflows.
Enter nudges.
What is a nudge?
Nudges are gentle interventions that subtly influence people into making the nudge creator’s desired decision. They do not take away people’s right to choose. Instead, they make the nudge creator’s desired choice appealing through small changes within the environment.
Here is an example to put nudges in context. Imagine that two high schools want their students to eat healthier. They use different strategies to achieve this. The first school stops selling junk food, taking away the children’s right to choose what they eat.
The other school uses nudge theory to encourage students to make healthy choices by redesigning how they present food options to students. They achieve this by placing healthy food–like salads, fruit and vegetables–at the front of their food display and leaving only a small section of junk food available.
While this is a hypothetical example, it is actually a mechanism used by forward-thinking schools across the US with great results. Studies show that using choice architecture, instead of outright banning foods, yields better, long-term behavior change.
Psychologically, it is easy to see why. When choice is taken away, individuals are more likely to rebel. However, when you gently nudge users towards better decisions, they retain a sense of autonomy, meaning they are more likely to accept your interventions.
Nudges in cybersecurity
Just as nudges can help students eat healthier, they can also help employees to make better security-related decisions. In security awareness training, nudges are digital and AI-enabled. They are real-time prompts that appear in the user’s workflow—applications like Slack and Microsoft Teams.
As the user goes about usual work tasks—such as accessing files, uploading and downloading data, and sharing information—these nudges work in the background, using data analytics and artificial intelligence to assess the riskiness of user behavior with regards to compliance mandates and internal company policies.
When a user violates a policy, the nudge appears, offering guidance that influences the user into making a more secure decision. Best-in-breed solutions are also highly contextual thanks to deep learning. They build a comprehensive picture of each user’s behavior patterns, providing personalized and tailored nudges that maximize learning.
What to look for in a security awareness nudge tool
As organizations realize that they need to reimagine security awareness training, nudge-based security tools are becoming increasingly popular. However, not all nudge solutions are created equal. Here are the key features you should look for:
- Real-time, embedded training: For maximum impact, your solution will deliver nudges at the point of violation. This method is proven to boost learning retention and reduce the likelihood of employees making the same mistakes over and over.
- ROI metrics: Being able to quantify security investments has long been a challenge for security teams, However, best-in-class nudge solutions are embedded with data analytics and capture employee risk scores’ overtime. As these scores reduce, you’ll be able to numerically show the benefit of your awareness program to stakeholders.
- Automated: Look for a solution that requires little manual intervention, allowing you and your team to focus on higher-value, strategic projects while the solution works autonomously on your behalf.
- DLP: Solutions like Polymer data loss prevention (DLP) combine real-time nudge training with data loss prevention to educate employees on security conscious behaviors while mitigating the risks of data leakage and human error.
This is your nudge to improve security. Find out more about how Polymer DLP can help you boost training outcomes today.