How to develop effective security awareness training

How to develop effective security awareness training

Fortra's Terranova Security

According to Matthew Fish from Fortra’s Terranova Security, organisations need to teach workers how to minimise the risk of cyberattacks through engaging, up-to-date content  

Guest contributor |


Millions of people and thousands of businesses are victims of cybercrime every year. With over 3.4 billion phishing emails being sent every day, according to Valimail’s Spring 2019 Email Fraud Landscape, phishing is one of the most common types of cyberattacks, alongside denial-of-service and man-in-the-middle attacks. This means it’s crucial for employees to be able to recognise malicious emails.  

Cybersecurity awareness training provides employees with the knowledge required to protect confidential information from cybercriminals. It aims to educate all workers – including full-time employees, freelance contractors and any other individuals who access, share, store and edit organisational data – about the types of behaviours that amplify risk, such as clicking on a link, reusing passwords, or entering sensitive information into a suspicious webpage form.  

For training programmes to be successful, they need to be engaging and leverage phishing simulations and other web-based communication and reinforcement tools to help employees prepare for real-world security scenarios. This, in turn, will enable organisations to mitigate the risk of employees mistakenly disclosing sensitive information and reduce the costs associated with potential data breaches.  

We recommend that businesses follow four key pillars to deliver engaging and insightful training that will successfully change how their employees approach cybersecurity. 

1. Create high-quality content 

Security awareness training programmes need to deliver high-quality and relevant content in order to attract employees to participate. This means they should include task-oriented instruction and content tailored to specific job roles. For example, the risk of cyberattack is highest for individuals who work in leadership roles and manage money and people. We recommend these managers go through a few phishing simulations to learn how to detect fake invoices so that they don’t share credentials unwillingly.  

Content should be created by a team of domain experts that understand adult learning and the current cybersecurity trendsand compliance requirements. Task-oriented instructions, customisable courses and microlearning modules will all engage participants in the learning process.  

2. Choose whether to deploy personalised or pre-built training platforms  

Both pre-built and personalised security programmes deliver effective cybersecurity awareness training but it’s the level of efficiency that separates the two. Pre-built training schedules allow businesses to deploy training quickly by addressing common cybersecurity challenges that are experienced by all organisations whereas personalised campaigns consider the various security requirements and regulations in the different countries the company operates in. Larger businesses with time to plan their security campaign rollout may choose the personalised route, for example, to create content in different languages or ensure it covers security threats specific to all its departments and offices.  

3. Decide whether training content should be risk- or role-based  

IT and security teams looking to plan a cybersecurity awareness campaign will need to decide whether to target training content via risk type or employees’ roles. The first option aims to tackle specific issues an organisation faces like phishing or repeated passwords, while the second focuses on the problems particular to a department such as fake invoices going to accounting teams or social engineering for those in management.  

4. Invest in real-world phishing simulations 

Users need to be trained to detect phishing emails to prevent data breaches causing systems to go out of service. Phishing simulations are an essential aspect of any cybersecurity awareness training campaign. For example, IBM’s Cost of a Data Breach Report 2022 found that phishing was the second most common cause of a data breach at 16 per cent, and also the costliest, averaging $4.91 million in breach costs. Received in an alarming number of variants, users need to be prepared to counter phishing attempts from everything from social engineering to full-blown fake websites. 

Once a simulation platform has been chosen and deployed, IT and security teams can use the built-in analytics to determine if any further training is needed. For instances, businesses might then decide to create newsletters with links to video-based training. 

For many businesses, the prospect of developing cybersecurity awareness training can seem daunting, but consulting a visionary partner like Fortra’s Terranova Security can make it easy to establish strong security awareness goals, build training courses, implement automated results-based learning tools and decide how best to launch a campaign. We can deliver the subject matter expertise and support they need to plan and execute a successful cybersecurity programme that is specifically designed o meet the individual needs of their organisation.  

Matthew Fish is senior product marketing manager at Fortra's Terranova Security

This article was originally published in the Summer 2023 issue of Technology Record. To get future issues delivered directly to your inbox, sign up for a free subscription

Subscribe to the Technology Record newsletter


  • ©2024 Tudor Rose. All Rights Reserved. Technology Record is published by Tudor Rose with the support and guidance of Microsoft.