Security Awareness Training vs. Testing: Who's Doing What?

Security awareness training is important. In today’s business environment, information security is important. Securing information helps keep competitive advantages, meet regulatory compliance, and satisfy customer expectations. Security compromises can be expensive, direct expenditures such as fixing a vulnerability as well as indirect costs such as damage to reputation. A key component of any security strategy requires end users are properly trained. As indicated in a survey from the security firm Rapid7, almost 66% of companies perform some form of security awareness training. However, only 33% testing, such as phishing simulation, to evaluate the effectiveness of the security awareness training given to employees.

The report, The Threat Within: Securing User Risk, summarizes key points about end-user security controls implemented by over 550 organizations. In 2013, Rapid7 conducted a survey of the IT professionals at these organizations to determine the security controls they have in place to reduce the risk of user-oriented attacks.

The following charts depict the results related to awareness training compared to users’ susceptibility to social engineering tactics via phishing. As the chart indicates, 66% of companies perform such security awareness training.


As you can see in the following chart, only 33% of companies follow up the training with actual testing to determine if the employees adequately understand the training they received.


As the report indicates, many companies know end users need to be educated on information security. However, there is room for improvement on the number of companies employing testing to determine the effectiveness of the training. Without testing to evaluate effectiveness, training may not be meeting its intended objective.

Visit our Phishing Facts and Resources pages for useful information on the threat of phishing and phishing prevention information. If you have any questions or comments, or want to learn how you can test employees’ susceptibility to phishing attacks, please contact us.