Cyber Risk Advisory

Maximizing ROI on cybersecurity training

Coalfire team jpg

Strategy, Privacy, and Risk Team

Blog Images 2023 maximizing roi 800 420

With many organizations facing understaffed IT and security departments with limited time and budget, it's smart to ask, "How do the benefits of security awareness training outweigh the costs?"

Key Takeaways:

  • Traditional training for compliance is ineffective for promoting and cybersecurity culture and sustained behavior change.
  • Knowing that adult workers consistently act according to their beliefs and values is the key to overcoming the “knowledge-intention-behavior” gap.
  • Aligning training messages and methodology with objectives and outcomes that adult workers care about motivates the desired behaviors.

CISOs, CIOs, and CTOs responding to the survey recently published in the 2023 State of the CISO Influence report dissatisfaction with the outcomes of their investments in security awareness. Some are reporting “user fatigue” with the traditional tools and methodologies, hoping that more innovative techniques like gamification will better engage their workers in the learning process. Fewer than half of the respondents reported that their security training strategy was achieving improved operational efficiency, reducing risk, or effectively promoting executive support for additional investment in security solutions.

With many organizations facing understaffed IT and security departments with limited time and budget, it’s smart to ask, “How do the benefits of security awareness training outweigh the costs?” Stated differently, “What are the barriers to achieving the kinds of outcomes that demonstrate a compelling ROI and rationalize the time, effort, and cost of security awareness training?”

Why cybersecurity awareness training doesn’t always work

Perry Carpenter, evangelist-security officer for KnowBe4, suggests that the “knowledge- intention-behavior gap” explains why breaches continue despite the investments companies make in building strong cybersecurity awareness programs. He observes that just because workers have been made aware of the risks of careless behavior and provided instruction on the proper use of tools and procedures doesn’t mean they will care or take the necessary actions to keep the company safe.

How, then, can security leaders overcome the “knowledge-intention-behavior” gap and improve the ROI on security awareness? Both research and field experience agree that traditional tools and methods fundamentally promote and reward mediocrity because they emphasize delivering information and largely ignore basic proven principles of learning, especially when applied to adult learners.

A better approach to security training

Effective security awareness programs influence workers to value the objectives and outcomes of the desired behaviors when they focus on understanding and satisfying these essential learning needs:

  • Mindset - Adults respond best to the transparency of purpose and benefit. Their behavior is driven by how they see themselves, their colleagues, and their world. “How does my behavior impact my performance, shape others’ perceptions, and contribute to the organization's success?"

  • Meaning - Adults deal with real-life problems. They are motivated to find solutions because it affects their daily lives. “The problem should be relevant and significant to me.”

  • Motivation - Adults act with urgency on principles and values. “I will protect what I judge to be important and valuable.”

In most instances, successful worker adoption of safer computing practices, such as password hygiene, depends on the attitudes the worker has towards safety, the perceived reality of the threat, and whether the requirement is sensible and convenient. To overcome these kinds of behavioral variables, we must be able to persuade workers by making the “business case” for security – shared objectives and values, reasons for and benefits of adoption, desired behavior(s), risks of failure, and request for their support. With a strong business case, there could actually be an ROI for security awareness training.

To learn more about how to motivate and make the business case for security to your employees, download our latest 2023 State of the CISO Influence report that will equip you with everything you need to maximize results on cybersecurity training.