Dr. Michio Kaku, Theoretical Physicist, and Best-Selling Author sharing insights at the RSA Conference 2023.

Apr 28 2023

Why Employees Hate Cybersecurity Training, and How to Fix It

Teaching workers how to spot and foil phishing attempts is vital, but most training programs are boring.

There’s little doubt that a good cybersecurity training program is effective at boosting employees’ awareness of phishing tactics. One Ponemon Institute survey found that 79 percent of IT security professionals identified employee training as a key strategy for improving cyber resilience.

But let’s face it: Some organizations’ training programs aren’t very good, which would explain why 27 percent of them said their phishing failure rates had remained the same even after implementing a training program, according to Proofpoint’s annual State of the Phish report.

Lisa Plaggemier, executive director of the National Cybersecurity Alliance, said employees are plagued by an “epidemic of boringness” when it comes to cybersecurity training. She blamed this on training developers paying too much attention to compliance-focused box-checking and too little to making the training fun.

“We take the perspective of the content that we have to deliver—that’s what takes priority,” Plaggemier said. “It’s the laundry list of behaviors that’s listed in all of our policies—the regulation, what are we trying to comply with? We’re very, very focused on the content, but we’re forgetting that we’re training human beings.”

Joined by Jenny Brinkley, a director of security with Amazon, Plaggemier spoke at the RSA Conference, one of the largest cybersecurity events of the year, running through April 27 in San Francisco.

Click the banner below to receive exclusive industry content when you register as an Insider.

Try Putting Some Emotion into Your Cybersecurity Training

Plaggemier said security leaders should ask themselves a few questions about their training programs: “Is it engaging? Does it get and hold their attention? Does it make them curious for more? Have you ever had anyone come to you after taking your security training and ask for more? It very rarely happens.”

She noted that many employees complete their cybersecurity training by ignoring it if they can. They open the training module in one tab and perform other tasks in another, or they fast-forward through the training to get straight to the required quiz.

LEARN MORE: How to build a healthy culture of cyberdefense, starting with the board of directors.

Lisa Plaggemier

Lisa Plaggemier, Executive Director, National Cybersecurity Alliance speaking at RSA 2023 (Photography by Bob Keaveney).

“We go through it as fast as we possibly can, unless the vendor has gotten really tricky and we can’t advance any of it until a boring voice has read to us every word that’s on the script,” she lamented. “From a user experience perspective, it’s awful. And for those of us who administer this training, I would argue that it’s not a good inspiration for behavior change. It’s not effective.”

Plaggemier and Brinkley said that focusing more on human emotion can help make a training program more enjoyable, citing the United Airlines preflight safety video as an example.


How to Make Cybersecurity Training More Engaging

They offered several suggestions for how IT security leaders, with their limited budgets and lack of experience as content creators, can improve awareness training:

  • Brainstorm with creative types in your organization. Plaggemier suggested reaching out to people in your organization who are funny, creative and unique. Don’t worry about having much input from human resources or even from IT security. “I would argue that you only need one person from security,” she said. “Ask that group, ‘How do we make cybersecurity interesting?’ You’ll be shocked at the good ideas that come out of people.”
  • Draw inspiration from pop culture. Don’t be too scrupulous about stealing others’ work if you don’t plan to market your training. “A famous playwright said, if you steal from one author, it’s plagiarism; if you steal from many, it’s research. Steal ruthlessly.”
  • Be relatable. “Whatever are those things at your company that are super relatable, that little bit of inside baseball that everyone will get, can you somehow build on that?” Plaggemier said.
  • Don’t break the budget. You don’t need to spend a fortune on production. You can hire freelance graphic designers, videographers and other creatives at reasonable prices. “There’s a whole gig economy out there,” Plaggemier said. “They don’t need to know much about cybersecurity; they just need to know enough to deliver the message.”
  • Don’t let naysayers get you down. “You’re always going to have at least one person in every organization who doesn’t like what you’re doing, especially if you’re doing something different,” Plaggemier said. Don’t worry about it. Of course, if you’re doing something edgy, it’s wise to involve senior leadership, including HR, early on to get buy-in. But in general, Plaggemier said, someone taking mild umbrage might be “a hint that you might actually get people’s attention.”

Keep this page bookmarked for articles and videos from the event, follow us on Twitter @BizTechMagazine and join the event conversation at #RSAC.

Photo courtesy of RSA Conference 2023

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT