January 2, 2024

Last Updated on January 17, 2024

3 Tips to Improve Your Security Awareness Training

For many organizations, the goal of security awareness training is to drive down the click rate on phishing emails. The way to know if that’s happening is to repeatedly run phishing simulations and measure the percentage of users who click the link.

But is “zero clicks” the right goal? And is number/percentage of clicks the right key performance indicator (KPI) to judge how well your security awareness training program is working?


Your goal should be to improve reporting rates, not click rates

Focusing on click rates bases your security awareness training program on a false expectation. Humans are imperfect. You’ll never drive your click rate to zero.

Trying to get there—especially with frequent phishing simulations—could hinder your real-world results. Users can end up feeling “attacked” and thus anxious and/or defensive. This makes what should be seen as valuable skill-building feel like a chore, or worse.

According to Gaby Friedlander, founder of Wizer, a better goal is to maximize the percentage of users who report that they’ve clicked a malicious link or have otherwise been scammed online in a work context.

It’s also important to reward the behavior you want to see more of. “Tell them, ‘Hey, good job, you clicked but you reported.’ It’s really about what you measure and how you approach it,” Gaby advises.


Take a risked-based approach to training effectiveness

All clicks are not created equal. “I would ask, who clicked?” Gaby suggests. “There is a difference if your CFO clicked, versus someone who doesn’t have access to your crown jewels.”

From the standpoint of risk, a click-through percentage by itself doesn’t tell the whole story. The potential to click on a malicious link is a vulnerability. But how risky is that click?

If the vulnerability to clicking a malicious link is exploited, what is the impact on the organization? That depends on factors like:

  • Who clicked?
  • Where did they click (laptop, tablet, etc.)?
  • What privileges do they have in that context?
  • Is the network properly segmented?
  • How good is the patch management program?
  • Did the user report the incident?
  • How fast did they report it?

Whatever their level of access to sensitive data, if the victim doesn’t report the event, the risk of the vulnerability being exploited is greater. Similarly, if they delay reporting this could increase the chances of a successful attack.


Look beyond phishing simulations

Security awareness goes beyond a user’s success rate at not clicking on phishing emails. These days it needs to encompass other social engineering attack vectors, including voice calls and text messages.

This is another reason to look beyond click rates as a KPI for training effectiveness. It’s also a call to get more creative with the use of simulations and look beyond phishing emails.

“I think we’re overly investing [in phishing simulations] without too much thinking about all the other attack vectors just because we don’t have the tools to measure those like we do with email,” Gaby notes.

It could be said that “security starts at home.” In this era of working from home and using personal devices on corporate networks, how you protect your personal data online impacts your risk exposure at work. Awareness of what you share on social media can impact your vulnerability to more sophisticated and targeted social engineering attacks.


What’s next?

For more guidance on this topic, listen to Episode 127 of The Virtual CISO Podcast with guest Gaby Friedlander, founder of Wizer.