Jon-Louis Heimerl, senior security strategist at Solutionary, agreed, noting that even at companies that do have SAT programs, a "check-the-box" mentality sends a message to workers that, "the organization does not really care, which makes the employees not really care."
Heimerl said the problem is that, too frequently, companies don't strive to make the training relevant. "True security awareness is not just an introduction to some security concepts," he said. "You have to teach employees new habits, then encourage them to support those habits, and reinforce the good habits.
"And the security training has to work for that employee in that organization. What works for Pete at Big Blue Bank will probably not work for Mary at ACME Healthcare."
Another problem is the fatalistic view that training is not worth the time and expense, since all it takes is one person to click on a malicious link and the enterprise is compromised.
To that, Monahan wonders if they have the same view of Transportation Security Administration (TSA) screening at airports, when, "it only takes one terrorist to get through and blow up a plane."
While acknowledging that one mistake can cause a major problem, "the goal of the programs is to reduce the attack surface and associated risk," he said.
Heimerl acknowledges that SAT, "can be of limited value if it does not change habits. But to say, we don't do security training because someone will fail,' is a defeatist attitude. That is like saying we will stop licensing drivers because someone crashed."
Workers seem to grasp the importance of training being relevant. When asked by EMA what they considered the most important attributes for SAT, the top two choices were "easy to understand" at 66%, and "easy to apply to real life" at 61%.
So, experts say, solving the lack of effective SAT is simple, but not easy. "Most organizations undervalue SAT, and undervalue the amount of energy it takes them to do proper awareness training, and undervalue the amount of time it takes employees to take proper awareness training," Heimerl said.
The good news is that, for enterprises that are interested, there is plenty of guidance available. The Information Security Forum offers 10 principles to embed positive security behaviors into employees. They include:
- Make systems and processes as simple and user-friendly as possible;
- Help employees understand why their security habits are important;
- Motivate workers to protect the business, and empower them to make the decisions necessary to do so;
- Don't simply give orders to employees sell them on security habits;
- Use multiple departments, like marketing and human resources, to help embed security behaviors;
- Hold employees accountable by rewarding the good and confronting the bad.
Sign up for CIO Asia eNewsletters.