Security Awareness Training vs. Testing: Who's doing what?

Security awareness training is important. In today’s business environment, information security is important. Securing information helps keep competitive advantages, meet regulatory compliance, and satisfy customer expectations. Security compromises can be expensive in direct expenditures, such as fixing a vulnerability, and indirect costs, such as damage to reputation. A key component of any security strategy requires that end users are properly trained. As indicated in a survey from the security firm Rapid7, almost 66 percent of companies perform some form security awareness training. However, only 33 perform testing, such as phishing simulation, to evaluate the effectiveness of the security awareness training given to employees.

The report, The Threat Within: Securing User Risk, summarizes key points about end-user security controls implemented by over 550 organizations. In 2013, Rapid7 conducted a survey of the IT professional at these organizations to determine the security controls they have in place to reduce the risk of user-oriented attacks.

The following charts depict the results related to awareness training to users’ susceptibility to social engineering tactics via phishing. As the chart indicates, 66 percent of companies perform such security awareness training.


As you can see in the following chart, only 33 percent of companies follow up the training with actual testing to determine if the employees adequately understand the training that they received.


As the report indicates, many companies know that end users need to be educated on information security. However, there is a room for improvement on the number of companies that employ testing to determine the effectiveness of the training. Without testing to evaluate effectiveness, training may not be meeting its intended objective.

Visit our Phishing Facts and Resources pages for useful information on the threat of phishing and phishing prevention information. If you have any questions or comments, or want to learn how you can test employees’ susceptibility to phishing attacks, please contact us.