Cybersecurity training: Need “…a red-hot poker to open up my eyes, it’s so boring”
Reeves et al.1 authored an illuminating review of cybersecurity training and how it’s going these days. Spoiler alert: not great! While a large number of cybersecurity officers assert that employee education and training is their highest priority and have invested in security education, training, and awareness (SETA) proportionately, the outcomes are often ineffective- and occasionally negative. Employees who have had training were sometimes found to have poorer awareness of risks than others who had not had the training2,3. Cybersecurity fatigue was isolated as a factor that leads to deteriorating cybersecurity behavior, noting that SETA programs can make employees feel overwhelmed, frustrated, and tired of hearing about cybersecurity, which leads them to disregard security-related protocols and to disengage with cybersecurity advice.
To illustrate this point, the authors highlighted case studies of three employees who explain their attitudes about aspects of their engagement with various cybersecurity functions using some wonderfully colorful language. A security department was described as “retentive” and “over the top”, a policy which allows security personnel to audit personally owned devices present in the work environment as “silly”, cybersecurity training videos were described as “terrible, really just horrible” and stated he needed a “red-hot poker to open up my eyes, it’s so boring”, and a system that fails to update passwords across devices as “painful”. The candor in these interviews feels on-point, and the authors put forth a sound model for reducing cybersecurity fatigue: The four-component model of cyber security fatigue.
The model proposes that fatigue sources can be advice or action-related, and that the types of fatigue can be attitudinal or cognitive. Using this model, employers could understand employee cybersecurity training fatigue, and then they could leverage that insight to take steps to mitigate it.
If you are thinking that your organization may be missing the mark on cybersecurity training, and perhaps causing employee fatigue, here are a few tips for creating a cybersecurity training curriculum that is mindful of its’ purpose, and also its’ propensity for being annoying:
Accountability. Expectations and reporting pathways should be clear.
Frequency. The appropriate number of training programs per year should be adjusted according to your employees needs. Watch for signs of fatigue and adjust accordingly.
Applicable. Train for what is necessary, and don’t make it longer than necessary just because you are trying to make it more fun. Get to the point and avoid fatigue. Get input from security professionals to develop an appropriate curriculum or to adopt an appropriate program.
Get the buy-in. Employees should feel supported and empowered to report anything suspicious or unusual.
Employees will appreciate the respect that comes from considering that their time on cybersecurity training should be spent as efficiently as possible, and perhaps without the repetitiveness and cartoonish bad guys.
1 Reeves et al., 2021, SAGE Open, “Encouraging Employee Engagement with Cybersecurity: How to Tackle Cyber Fatigue”
2 Parsons et al., 2013, Security and Privacy Protection in Information Processing Systems–IFIP Advances in Information and Communication Technology, “Phishing for the truth: A scenario-based experiment of users’ behavioural response to emails”
3 Pattinson et al., 2016, Human Aspects of Information Security & Assurance, “The information security awareness of bank employees”