Compare training and testing so your team can build a program that measures and improves real behavior.
Security Awareness Training vs. Testing: Who's Doing What?
Security awareness training is important. In today's business environment, information security is important. Securing information helps keep competitive advantages, meet regulatory compliance, and satisfy customer expectations. Security compromises can be expensive, with direct expenditures such as fixing a vulnerability as well as indirect costs such as damage to reputation. A key component of any security strategy is ensuring end users are properly trained. As indicated in a survey from the security firm Rapid7, almost 66% of companies perform some form of security awareness training. However, only 33% conduct testing, such as phishing simulation, to evaluate the effectiveness of the security awareness training given to employees.
The report, The Threat Within: Securing User Risk, summarizes key points about end-user security controls implemented by over 550 organizations. In 2013, Rapid7 conducted a survey of the IT professionals at these organizations to determine the security controls they have in place to reduce the risk of user-oriented attacks.
The following chart depicts the results related to awareness training compared to users' susceptibility to social engineering tactics via phishing. As the chart indicates, 66% of companies perform such security awareness training.
As you can see in the following chart, only 33% of companies follow up the training with actual testing to determine if employees adequately understand the training they received.
As the report indicates, many companies know end users need to be educated on information security. However, there is room for improvement in the number of companies employing testing to determine the effectiveness of the training. Without testing to evaluate effectiveness, training may not be meeting its intended objective.
Visit our Phishing Facts and resources pages for useful information on the threat of phishing and phishing prevention. If you have any questions or want to learn how you can test employees' susceptibility to phishing attacks, please contact us.
