Security Awareness Training Overview
What is Security Awareness Training?
Security awareness training protects enterprises against cyber threats that exploit human nature, or simple inattention. These threats include primarily phishing, and also ransomware or other behavior-based vulnerabilities. Cyber security awareness training services can include instructional materials, live teaching, and realistic phishing simulations. To keep up with evolving attack methods, security training services provide continuous training and updates.
The consensus among cyber experts is that prescheduled classroom training is ineffective on its own. So threat simulation is central to enterprise security awareness training and services. While e-learning libraries are included in many online security awareness training offerings, it is simulations delivered surreptitiously that provide authentic proof of workforce resilience in the face of real cyber attacks. Various kinds of simulated attacks may include spear phishing (e.g. pretending to be a trusted sender), BEC (business email compromise), social engineering attacks, HTTPS spoofing, and drive-by cyber attacks.
After simulations, employees who responded inappropriately can then be trained according to their mistakes via classes and lessons, delivered in-context. Research on attention has led to a preference for microlearning courses: sections that take only 10 minutes or less to complete. After the security awareness testing cycle, service providers offer detailed reports about what simulated attacks were successful, or what if any policies were violated.
Providers of security awareness training may also provide privacy or compliance training, or behavior monitoring and remediation.
Features of Security Awareness Training
Security awareness training offerings may consist of the following:
Pre-assessments, or baseline testing to assess vulnerability
Phishing simulation imitating known attack patterns
Random, asynchronous attack delivery
Phishing reply notification & alerting, reply tracking
Non-email based testing (e.g. Smishing / SMS, or Vishing / voice, found USB drive)
Testing analytics and user attribution (e.g. role, day/time of response, demographics)
Industry benchmarking for security awareness performance
Prebuilt library of Interactive training modules
E-learning delivery with live or self-paced modules
Security awareness materials for distribution
Custom-test building tools for company-specific tests
Reinforcement training, gamification, knowledge retention testing
Auto-assign security awareness training for new or vulnerable employees
Company-wide simulation response analytics and reporting
Certification training for security personnel
Industry-specific certifications (e.g. federal security, banking)
Pricing Information
Security awareness training is available on per seat basis. Larger companies with greater pools of employees pay less per seat. Additionally, security awareness training offer tiers of service. Lower tiers of service provide core services like phish testing, and online training. Higher levels of service may include more elaborate testing (e.g. found USB device testing, BEC simulation), and more testing modules, as well as knowledge certifications. Security awareness service providers may also provide cybersecurity suites of software, or security appliances. These vendors offer the option to bundle security awareness training with email security services, threat intelligence, and related services.
