GigaOm Radar for Security Awareness and Trainingv1.0

1. Summary

Designing a defense strategy against cyber threats for systems, networks, and data that focuses only on technologies does not guarantee an organization’s information assets will be protected. Neglecting the risk associated with the human factor for securing the company’s perimeter is an oversight that sooner or later will be exploited by cybercriminals. The statistics prove it. The majority of successful cyberattacks are made possible by accidental human failure, often due to a person’s lack of vigilance, ignorance of the issues and risks related to certain behaviors, or a lack of commitment to contributing to the defense of the organization’s security.

The question that arises, therefore, is how to make employees themselves a firewall against cyberthreats. The answer involves the systematization of awareness and training in security concerns for all company employees.

This is nothing new because security awareness and training (SA&T) programs have been around for a relatively long time in the IT world. And yet attacks exploiting human vulnerability continue to succeed.

Why? The battle to capture the very fragmented attention of employees during training is ongoing. The challenge is no longer just about the content of SA&T programs but increasingly about the mechanisms, methods, and means of delivering the content in such a way that it is impressed on the mind of each employee. The goal is to both change the organizational culture toward security and to impact employee behavior to support it.

The market’s response to this challenge comes from companies that were already specialized in the training of cybersecurity experts or from young and innovative offshoots that were launched specifically to address the need for SA&T in organizations.

The notable difference between the two types of SA&T providers lies in the way they approach the issue. Those already involved in training tend to concentrate on the breadth and richness of the cybersecurity library content, while those newer to the SA&T field focus more on how that content is delivered, with the clear and stated goal of having an observable and measurable impact on individual behaviors and enterprise cultural changes. To do this, these providers use psychological concepts governing the mechanisms of behavior change in humans coupled with innovative pedagogical concepts. SA&T subjects are delivered in micro and nano capsules dealing with a particular point or by resorting to audiovisual or gamification techniques from the world of entertainment.

Clearly, both content and delivery are important, so the choice of an SA&T product should consider not only the richness and continuous renewal of the cybersecurity library content but also the methods, means, and format of delivering of security topics.

This GigaOm Radar report highlights key SA&T vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating Security Awareness and Training Solutions,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.