Cyber security awareness learning ‘needs to enter the 21st century’
The one-dimensional and outdated cyber security awareness learning provided by most UK organisations – including charities – is not ‘fit for purpose’ and is limiting employees’ ability to understand what good cyber behaviours look like, according to new research
The one-dimensional and outdated cyber security awareness learning provided by most UK organisations – including charities – is not ‘fit for purpose’ and is limiting employees’ ability to understand what good cyber behaviours look like, according to new research from AXELOS.
The approach also does little to create, embed and sustain the behaviour change required in organisations to respond better to cyber attacks. While 82 per cent of those surveyed are using traditional, computer-based training and e-learning, less than a third are deploying some of the latest learning techniques that offer more immersive and engaging learning for staff.
The research commissioned by AXELOS and conducted by Ipsos MORI shows that three information security learning methods dominate more than half of UK workplaces: computer-based training/e-learning, face-to-face and video instruction. New proven learning techniques are being adopted by a comparatively small proportion of organisations. For example:
- Simulations – 31 per cent
- Animations – 26 per cent
- Games – 14 per cent
Forgotten at once
Compounding the problem, fewer than half (46 per cent) of executives responsible for information security training in UK organisations with more than 500 employees provide ongoing information security awareness training beyond new staff induction or annual, e-learning refresher courses.
Nick Wilding, head of cyber resilience best practice at AXELOS, said: “Organisations are still trusting in their annual, cyber awareness e-learning. To expect this approach to influence resilient behaviours is unrealistic. Typically, this one-off course – required once, designed once, delivered once and completed once – is also forgotten at once.
“It risks leaving staff ill-prepared and unaware of the practical things they can do more effectively to manage the daily risks they face. We need a new approach: just as technical controls will evolve and adapt in response to changing threats and vulnerabilities so we need to ensure all our people receive practical and engaging advice and refresher learning on a regular basis throughout the year.”
Lack of tailored learning
Wilding said that despite the almost universal belief (99 per cent) among senior managers that information security awareness training is important to minimising cyber security breaches, less than half that number (47 per cent) are tailoring the learning to the jobs their people do. This is despite nearly two-thirds (63 per cent) highlighting the importance of cyber security in minimising human error in their organisation.
He added: “One size simply doesn’t fit all in this critical area of staff development and neither does it support an organisation’s investment in protecting its corporate reputation and competitive advantage.”
The AXELOS research also asked executives to identify what they thought were the greatest sources of risk for an information security breach. They said:
- 49 per cent: intentional attack by external hackers, criminals, terrorists or activists.
- 45 per cent: unintentional error by employees or contractors.
- 40 per cent: intentional attacks by employees or contractors.
- 17 per cent: third party suppliers or joint venture partners as a route exploited by cyber criminals.