The Future of Employee Security Awareness Behaviour and Culture Change for Enterprise Organisations

This is the first in a series of blogs showing how by changing security culture you can simply reduce human risk easily and get your employees to truly engage in your security awareness programme.


By getting your employees to report more, you have the data to ensure spear phishing business email compromise and ransomware attacks, experienced every day by your employees, can be reused virtually to hack your employee's with similar risks across the business.


By using machine learning in a positive gamified security culture, you can automate and train your employees in microseconds on the type of attacks they are likely to experience. Your employees will get truly amazing results compared to the old way of security awareness training. Here are a few examples of the three main challenges we speak to clients about every day that impact implementing a strong security culture.

  • 70% of organisations with security awareness training have had an incident caused by employee security behaviour. Awareness training alone is not reducing risk effectively enough.

There is only one way to enable increased knowledge retention using adaptive control algorithms to change security culture and enable just in time training based on real threats, we have discovered the best way is to use Adaptive Continuous Algorithms to automate the flow of learning depending on your learner’s level of knowledge.

  • Social attacks from phishing are not reported by employees.

Using gamification and employee focused techniques helps to report more potential attacks.

By making gamification training fun and engaging, you can make sure employees are rewarded by points when they report threats, and you can show how to compare their progress to other employees on the leader board

  • Employees still click on phishing emails within organisations that believe they have a good security culture. How do you prove you have minimised risk?

The industry is flooded with pop-up awareness training providers throwing around the terms “awareness”, “behaviour” and “culture” almost interchangeably. Forgetting the marketing hype, what do these terms mean to organisations looking to reduce cyber security risk?

Security Awareness simply means, “does an employee know how to behave securely?” Raising awareness does not guarantee an improvement in behaviour or a reduction in risk. Security behaviour is how people behave from a security perspective in real-life situations (e.g. do they set strong passwords?).


This is influenced by awareness, capability, attitude, cognitive process and social norms. Measuring security behaviour is a great measure of risk for known behaviours.


Ira Winkler, RSA keynote speaker explains here in his white paper the science behind behavioural change. https://www.hoxhunt.com/blog/case-study/ira-winkler-why-hoxhunt-is-unique


Awareness training alone is not reducing risk effectively enough.

Today learning is about “learning flow” and not “instruction”, helping bring learning and knowledge retention to people throughout their digital experience.


A major challenge for clients is how do you get your employees to take cyber training and retain knowledge minimising risk to your business in amongst your daily routine and daily digital distraction?


Security awareness and changing behaviour isn’t enough. It's all about security flows, changing your security culture and minimising risk to employees and the business by ensuring the right training provided to the employee is based on their job role, function and geography to minimise the impact to their working day.


Organisations are now working on the best methods to:

  • Take information on typical attacks relevant to their employee’s job role and providing just in time training to employees.

  • Explaining to their business stake holders how you can capture information from the wild and then automate the sending of phishing attacks based on their employees level of expertise.

  • Learning to use machine learning to automate the learning process positively.

  • Using the science behind automating this process and improving their programme using adaptive continuous algorithms allowing you to run the flows above on autopilot dependent on user level of knowledge.

By using a solution with adaptive continuous algorithms, they can add value to existing manual processes and provide just in time training to minimise risk.


“There is no such thing as memorizing. We can think, we can repeat, we can recall and we can imagine, but we aren’t built to memorize. Rather our brains are designed to think and automatically hold onto what’s important. While running away from our friendly neighbourhood tiger, we don’t think “You need to remember this! Tigers are bad! Don’t forget! They’re bad!” We simply run away, and our brain remembers for us.”

Gabriel Wyner, Fluent Forever: How to Learn Any Language and Never Forget It

Enterprises spend large amounts of time and money on information security training and awareness for employees to drive various positive outcomes: better threat responses, reduced risky behaviour, and increased regulatory compliance. However, the metrics and reporting on the actual success of these training and awareness activities is often lacking -especially when you consider the level of detail that goes into most security-related reporting.


The goal of these activities should not be to satisfy a "check-the-box" mentality, but to bring positive behavioural change within an organisation, according to our recent document: A manifesto for changing the way we think about Security Awareness & Traditional Learning Development Programs.


Overcoming training and awareness challenges, security awareness campaigns can under perform for many reasons including:

  • Lack of effective messaging - lacklustre content that fails to achieve the desired outcome.

  • Lack of engagement - failure to appropriately engage the user or failure to communicate the importance of good cyber hygiene and its impact on the enterprise.

  • Campaign design - inapplicable or mis-targeted campaigns, or content that is too densely packed into a communication channel, causing the audience to stop listening it is not acceptable in a security awareness context. Those individuals who do not proceed from one stage to the next stage in the security arena represent a potential source of unaddressed risk for the enterprise.

Security and awareness professionals are facing increasing forces of change. New technologies and the emergence of artificial intelligence hold major implications for the way security awareness managers provide services to its stakeholders and internal clients. Increasing pressures from leadership to deliver tangible value is demanding new and more effective solutions. Digital transformation is at the top of everyone’s agenda and are occupying security awareness minds and resources. There is no option to stand still.


Are you well positioned to exploit your role fully as an agent of continuous improvement across your organisations? Despite the intention to extend formal learning solutions, in today’s world, security awareness needs also to embrace automated security learning flows in order to adapt to an ever-changing and fast-moving environment where learning and working are increasingly intertwined, and where learning from working is equally important, if not more so, than learning to work.

  • Plan to focus on learning at the point of work: just-in-time learning focused on providing practical solutions to situations faced by employees in the moment. We call this security awareness learning flows.

  • Plan to focus on adaptive learning: including using algorithms to orchestrate interaction with the learner to deliver customized resources and learning activities that address the unique needs of each learner.

  • Plan to focus on Adaptive Controls Algorithms: including micro learning, adaptive learning, artificial intelligence.

On-the-job learning is more important for workers’ human capital development and knowledge retention than formal training. This work also highlights the importance of keeping workers’ skills up to date through informal learning in the workplace when skill demands change frequently due to technological and organisational innovations.


For security awareness to remain relevant, we need to develop new, business focused and technology-enabled ways to support workers to deliver business results. This involves exploiting new ways of working, new technologies and machine intelligence.


The increasing “granularisation” of formal learning has been an extension of e-learning over the past 20 years. Although this has resulted in providing marginally easier access to learning content, it fails to address a fundamental issue; e-learning and “micro-learning” remain formal learning approaches, as do higher bandwidth video-based systems and rich media learning solutions. They are not exploiting the full potential of technology to deliver business results. To achieve this, security awareness needs to fully embrace knowledge retention using security flows and learning from working.


Most of our learning results from our working experiences and requires constant exposure to new situations, practice, the opportunity to react with others and most importantly, time to reflect. As a result, learning can occur anywhere and at any time, and often where we least expect it. Today’s security awareness departments need to focus on supporting action and output, not on information.


This presents a challenge for many security awareness professionals. Careers have been spent designing, developing and delivering content to be ‘consumed’ by internal or external clients. Over the past 50 years L&D professionals have been engaged in developing primarily content-rich, experience-poor solutions. Yet, ‘learning’ is all about retention.













We are not taught how to learn in school, we are taught how to pass tests. The spacing effect is a far more effective way to learn and retain information that works with our brain instead of against it.


“How do you remember better? Repeated exposure to information in specifically timed intervals provides the most powerful way to fix memory into the brain. …Deliberately re-expose yourself to the information more elaborately, and in fixed, spaced intervals, if you want the retrieval to be the most vivid it can be. Learning occurs best when new information is incorporated gradually into the memory store rather than when it is jammed in all at once.”

John Medina, Brain Rules

19 views0 comments