Employees Would Simply Rather Not with Boring Security Awareness Training, New Research Finds

Download this report from Osterman Research and MediaPRO on the importance of security awareness training in forging a security culture.

In news surprising no one, a new survey of 1,000 U.S. employees has found that boring security awareness training doesn’t make them want to be secure.

“Our research found that users who found training to be ‘very interesting’ were more than 13 times more likely to make fundamental changes in the way they think about security compared to those who found the training to be ‘boring’,” said Michael Osterman, researcher and president of Osterman Research, who conducted the study.

The research supports the claim that employees get far more benefit out of interesting and engaging training, joining facts such as “the sky is blue,” and “water is wet.”


Security Awareness Training As A Key Element in Changing the Security Culture

Explore the state of corporate cybersecurity culture from the perspective of both IT managers and decision makers and the everyday employee in this piece of original of research from Osterman Research, co-sponsored by MediaPRO.

Download Report

Effective Security Awareness Training

As users receive more security awareness training, their ability to effectively deal with security threats increases, the report found. The “before-and-after” picture displays that users who are properly trained are much more likely to spot phishing attempts, business email compromise, and other cybersecurity threats than are their untrained colleagues.

The study, Security Awareness Training as a Key Element in Changing the Security Culture, surveyed both everyday employees and IT managers and decision makers to gauge opinions on the current state of security training and awareness. MediaPRO co-sponsored the report.

Key Takeaways

Other key takeaways from the report include:

  • IT, security, and business leaders – while generally wanting to establish a strong cybersecurity culture within their organization – are somehow not conveying that idea effectively to a large proportion of their employees.
  • Security awareness training is perceived to be as important as technology in dealing with security threats and organizations will be devoting more employee time to training over the next year.
  • Approximately 45 percent of employees surveyed expect to spend 15 minutes or more per month in training by mid-2021; up from 26 percent in 2020.
  • Senior IT and business management are much more enthusiastic about security awareness training than are non-management employees.
  • Security and IT leaders, their staff members, and business leaders are largely onboard with the idea that developing a strong cybersecurity culture is important; everyday employees, however, are much less convinced about the importance of doing so, indicating that the goal of developing a robust security culture has not yet been achieved in most organizations.

“Security awareness training doesn’t do anyone any good if they sleep through it. You can deliver the best security advice in the world, but if no one is listening, you might as well be talking to a brick wall,” MediaPRO Chief Strategist Lisa Plaggemier said.

“Good security awareness training should get and keep your attention. That’s what it means to be engaging,” Plaggemier continued.

As lots of scary industry research continues to find, cybersecurity technology alone is not enough to keep businesses secure. Bad guys go after employees; plain and simple.

Equipping them with the know-how to turn away cyberattacks means engaging security training that speaks their language and tells them what they need to know; no more, no less.


Engage! The Benefits of Building Security Training Employees Want to Take

Explore the importance of security training and awareness in forging a security culture and how the quality of that training comes into play with Osterman Research President Michael Osterman and MediaPRO Chief Learning Officer Tom Pendergast.

Watch Now

Share this Post