7 reasons for security awareness failure


Ira Winkler and Samantha Manke just wrote a great article at the CSO site about why security awareness programs fail. 

They started out with: "There is a great dichotomy in Security Awareness. Just about all of the CSOs we talk to believe that one of their top priorities is to improve their organization's security culture — in other words, the behavior of their users. Similarly, we see article after article and study after study talking about how humans are the primary attack vector for advanced attacks. Some studies indicate that human exploitation is the key enabler in as many as 90 percent of attacks. Buzzphrases, such as protecting and attacking "Layer 8" have emerged.

Yet we periodically see the media entertain notions that challenge the value of security awareness. While there are notable security awareness failings, awareness, like all security efforts, is about risk mitigation not complete prevention and needs to be implemented properly."

 The Seven Awareness Failures are:

  1. Not understanding what security awareness really is
  2. Reliance on checking the box
  3. Failing to acknowledge that awareness is a unique discipline
  4. Lack of engaging and appropriate materials
  5. Not collecting metrics
  6. Unreasonable expectations
  7. Relying upon a single training exercise
Their conclusions: "Most security awareness programs are doomed from the start, but it doesn't have to be that way. You can implement the successful habits that we previously identified, but you first have to remove any impediments to success. By setting the proper foundation, you will be able to implement a program that has a true return on investment and mitigates what is described as the top vulnerability exploited by advanced attacks."
Here at KnowBe4, we could not agree more! So read their article and learn about the pitfalls that might trap you.


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews