Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity NewsEnterprise Services

Security Awareness Training – Keys to Delivering a Successful Program

By Gretel Egan
Cyber Incident Recovery
June 9, 2020

Security awareness training is no longer a “nice-to-have” for organizations. End users have become a critical component of effective security postures. Employees must have a strong understanding of cybersecurity best practices and learn how to detect and defend against targeted attacks. This shift in priority is needed to address an ongoing trend in the larger threat landscape.

Cybercriminals have moved away from complicated, time-consuming technical exploits to concentrate on end users, a large and frequently vulnerable attack surface. Small or large, nearly every attack now begins in the same way: by relentlessly targeting people through email, social networks, and/or cloud and mobile applications.

In a recent study, Proofpoint found that nearly 90 percent of global organizations surveyed were targeted with business email compromise (BEC) and spear phishing attacks in 2019. This reflects threat actors’ increasing focus on highly sophisticated, personally addressed phishing emails that dramatically increase their chances of success.

But there is positive news in the face of these increased attacks. In the same Proofpoint study, 78 percent of information security professionals surveyed said that security awareness training initiatives led to a measurable reduction in phishing susceptibility among their organization’s end users.

The need for a cyber-aware, well-trained workforce has never been clearer. With attackers focusing on users, organizations need to follow suit and take a people-centric approach to cybersecurity.

 

Security Awareness Training Program Essentials

Because risk and cyber awareness can vary significantly between industries and organizations, there is no true one-size-fits-all security awareness training curriculum. That being said, all organizations will benefit from taking a continuous approach that incorporates the following four components.

 

1. Identify Risk

The action of identifying risk involves both end-user vulnerabilities and incoming threats that are targeting an organization in general and certain employees in specific. Organizations should focus on three key activities:

  • Assessing general cybersecurity knowledge
  • Gauging users’ vulnerability to specific phishing lures and themes
  • Using threat intelligence to determine the methods attackers are using and the people they are most frequently targeting

 

2. Change Behavior

The most effective programs blend broad, organization-wide awareness and training activities with more targeted, threat-based education. All employees should have a fundamental knowledge of the actions and behaviors that can improve their cyber hygiene at work and at home. This helps to build a culture of security in which all users have a unified purpose.

 

3. Reduce Exposure

This action establishes tools and channels employees can use to quickly report suspicious emails and other potentially malicious activities. It also gives security teams the opportunity to identify and address attacks that slip through perimeter defenses—attacks they would otherwise be unaware of. Organizations can engage end users in this important component of people-centric security by:

  • Implementing an email reporting tool – In-client buttons allow users to easily forward suspicious emails to response teams with all security information intact.
  • Automating analysis and remediation – CISOs should consider solutions that perform real-time analysis of reported emails, prioritize the most dangerous messages, and automatically quarantine or delete active attacks.
  • Establishing reporting mechanisms for threats outside of email – Organizations should encourage a “see something, say something” policy related to potentially suspicious activities end users might witness, like unescorted visitors, malicious insider threats and imposter websites.

 

4. Measure and Adapt

Measurement tools allow organizations to gauge progress, assess ROI, share information with stakeholders and course correct as needed. Baseline simulated phishing failure rates and knowledge assessment results help establish starting points to measure against, and follow-up exercises provide additional insights and the opportunity to test and train end users on emerging threats and issues that are specific to the organization.

Infosec and/or training teams are also likely to be pressed to evaluate the success of security awareness training initiatives. In addition to metrics specifically related to program components, organizations can look to their security teams to gauge improvements in end-user behaviors by tracking these three measurements:

  1. The number of reported emails by end users – Security teams should see a noticeable uptick in the quantity and quality of reported emails as training progresses.
  2. Rates of malware infections and successful phishing attacks – Effective security awareness training should lead to decreases in malware infection rates and successful phishing attacks from the wild.
  3. IT man-hours tied to end-user issues – As users become more educated about threats and risky behaviors, IT and remediation teams should see a reduction in the amount of time spent addressing malware infections and other ramifications of successful cyberattacks.

Security awareness training is integral to developing a successful, people-centric approach to cybersecurity. By following the above recommendations, organizations can ensure their programs are designed to effectively and efficiently prepare employees for attacks that are increasingly targeting them directly.

KEYWORDS: cyber security information security risk management security awareness training

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Gretelegan headshot

Gretel Egan is a security awareness training strategist for Proofpoint, a leading provider of cybersecurity services and solutions. She is a Certified Security Awareness Practitioner (CSAP) and has been working in technical, business and consumer communications for more than 20 years. Gretel has extensive experience in researching and developing cybersecurity education content for Fortune 1000 companies and was named one of the “10 Security Bloggers to Follow” by IDG Enterprise.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • employee training

    Keys to a successful security awareness program

    See More
  • employees-enews

    How to Tailor Security Awareness Training to Employees’ Needs

    See More
  • Lauren Zink Women in Security podcast

    Listen to Lauren Zink, Security Program Awareness Manager at Oportun in the latest Women in Security podcast

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing