Mobilising your human defence

In the past decade, cyber security has transformed from a niche field to a key issue for corporate boards and leaders. Interestingly, as leaders have increased focus on defending against cyber attacks, the attackers have increasingly targeted rank-and-file employees as a means of accessing valuable information stored on corporate networks. This dynamic has made providing effective employee security awareness training a crucial element of every organisation’s security posture. A well-trained workforce can do more than just avoid clicking on malicious links; it can become an active layer of threat prevention.

Providing effective training

Effective security training utilises principals from educators and marketers – two groups who rely on changing behaviour to perform their jobs – to improve employee security behaviour.

Security training that is quick, interactive, minimally disruptive to the user, and is above all interesting, is the best way to grab and keep a person’s attention and make the process memorable. If people enjoy security training and talk about it with their peers, not only will they be more likely to participate, the experience will be more memorable.

Since phishing is the most common entry point for emerging threats on enterprises, crowdsourcing phishing detection allows the first line of defence to report attacks as soon as they hit your network

Another important way to ensure training is impactful is to make the process immersive. In the same way that a fighter pilot learns by training in a flight simulator, deliver security training in an immersive fashion by simulating the attack methods used by adversaries and providing instant feedback to users who fall victim to the attack. Focus training on the issues that are most relevant to your users and organisation, and measure the outcome of each exercise you conduct. Using these methods, you can reduce employee susceptibility to the social engineering tactics favoured by cyber criminals, nation states and hacktivists.

Measure progress and improve

An important practice for any security training programme is to measure its effectiveness. However, most programmes fail to gather actionable metrics. Many teams are measuring things, such as the number users who complete a course or attended a lunch, instead of the number of incidents related to a specific IT risk area. This is akin to looking at the number of times a person visits a dentist each year, instead of the number of dental incidents (cavities, root-canal treatments and so on), and using that data as an indicator of good dental health.

Metrics measuring overall vulnerability to phishing e-mails are useful as a baseline to assess organisational readiness for a phishing attack, but offer much more insight. Measuring susceptibility after each security training exercise provides a perspective of which concepts are working and which ones are not, allowing organisations to refine techniques to improve the programme.

Programmes that collect meaningful metrics about behavioural change within their organisation can make effective decisions and drive desired change with the data to back it up.

Leveraging a trained workforce

Once users have learnt to recognise potential attacks, organisations can begin to tap into a new source of threat intelligence. If trained users can easily report suspicious e-mail activity to the security team, it provides incident responders with valuable information that has previously been elusive. Since phishing is the most common entry point for emerging threats on enterprises, crowdsourcing phishing detection allows the first line of defence to report attacks as soon as they hit your network.


Attackers are targeting users for a simple reason – they are the easiest point of entry to corporate networks. Enterprises that employ immersive training techniques through simulated attacks can not only train employees to recognise and avoid falling victim to attacks, they can leverage that trained workforce actively to detect attacks and mitigate the damage from data breaches.