Positive Approaches to Cybersecurity Training

A central responsibility for CISOs and other security leaders is building stakeholder support for cybersecurity across the organization -- from the board to entry-level employees. One way to do this is by focusing on positive reinforcement. This element of engagement is often overlooked, as it can be difficult to communicate about serious issues like cybersecurity in positive ways. But a culture of cybersecurity need not be based on fear. 

While core aspects of accountability include identifying employees’ psychological vulnerabilities, closing knowledge and skills gaps, and addressing mistakes that could put the organization at risk, none of these elements of awareness training require punitive interactions. Punishing and criticizing employees is more likely to frustrate and discourage them than inspire them to do better. When cybersecurity education is constructive, employees will be far more inclined to pay close attention and put what they learn into practice.  

Effective awareness training is all about sustainable behavior change, which means providing compelling incentives for employees to adopt healthier cybersecurity attitudes and habits. Employees shouldn’t be penalized for making mistakes -- they should instead receive helpful feedback on where they can improve, along with frequent reminders that they have the power to keep the organization safe from cyberattacks.  

Related:6 Ways to Manage Cybersecurity Burnout and Support Teams Better

How Awareness Training Can Empower Your Workforce 

Social engineering is one of the most destructive cybercriminal tactics -- 74% of all breaches involve a human element, and phishing ranks among the most common and harmful cyberattacks. When employees see statistics like these, it’s natural to feel intimidated -- how can they hope to protect the company from ever-evolving cyberattacks? This challenge is more daunting as social engineering attacks become increasingly sophisticated in the age of AI.  

But just as human error is to blame for a huge proportion of successful cyberattacks, employee awareness deserves credit for preventing countless more. IBM reports that one of the top mitigating factors of the total cost of data breaches is employee training, and given the continued reliance on social engineering, that training has never been more vital for protecting the company. These are points that security leaders have to consistently emphasize – when employees see that they’re capable of defending the organization, they will feel empowered instead of intimidated.  

By offering a positive vision of employees’ integral role in protecting the company, security leaders will show them that they don’t have to be victims. This is a critical step toward building a culture of cybersecurity at the company.  

Related:IT Security Hiring Must Adapt to Skills Shortages

Positive Reinforcement Works Better Than Punishment 

While accountability is essential for any training program, security leaders must be able to show employees what they’re doing right and wrong without attacking or belittling them. These leaders must establish security assessments and incident reporting mechanisms that will incentivize employees to keep them updated, even if those employees have made a mistake that put the organization at risk. 

It’s crucial for security teams to remember that employees are already under immense pressure. From the endless sprint to keep pace with rapid digital transformation to the dramatic shifts in how and where they work over the past few years, workplace stressors are plentiful. Positive reinforcement is particularly important as employee stress reaches all-time highs. To create a sustainable culture of cybersecurity, CISOs and other security leaders shouldn’t allow cybersecurity awareness training to become an extra burden to already-stressed employees.  

Companies can’t afford to alienate employees with oppressive threats and punishments. Such negative reinforcement will ensure that they either disengage or actively resist efforts to build up their cybersecurity awareness. Security leaders aren’t drill sergeants – they need to be educators capable of capturing the attention of busy employees who already have countless other distractions.  

Related:The Cybersecurity Crucible: Unsung CISO Struggles Under Fire

Demonstrating the Value of Awareness Training 

At a time when two-thirds of employees are struggling to keep up with constantly changing skills requirements, security leaders have an unprecedented opportunity to earn stakeholder buy-in for cybersecurity awareness training programs.  

According to Microsoft, 82% of company leaders say employees will need new skills for the AI era. This is particularly true for cybersecurity, as AI-powered cyberattacks like LLM-generated phishing messages and deepfakes are making social engineering attacks far more sophisticated and destructive. As the demand for cybersecurity skills surges, security leaders can highlight the ways these skills will help employees advance their careers and become better equipped for the workplace of tomorrow.  

Security leaders know employees have a pivotal role to play in protecting the company from cyberattacks, and the best way to build a culture of cybersecurity is to make sure employees know it, too. Beyond demonstrating all the ways employees can defend the organization with real-world examples of cyberattacks that could have been prevented through greater cyber awareness, security leaders can personalize training to account for their unique skill levels, behavioral profiles, and learning styles. This will show employees that the company is invested in their individual progress and give them a more engaging educational experience.  

When security leaders empower employees to become cyber defenders by showing them why security awareness training matters and focusing on positive reinforcement, they will build a culture of cybersecurity that will last for many years to come.