Keepnet Labs Logo
Menu
HOME > blog > security awareness challenge insights from gartner cybersecurity awareness survey

Security Awareness Challenge: Insights from Gartner Cybersecurity Awareness Survey

The 2022 Gartner Cybersecurity Awareness Survey highlights key trends, challenges, and opportunities in security awareness programs. Learn how to bridge the gap between effort and impact by adopting core tactics, behavior-based metrics, and innovative strategies.

Security Awareness Challenge: Insights from Gartner Cybersecurity Awareness Survey

When it comes to security awareness programs, organizations are investing significant time and resources into various initiatives. However, the results often remain elusive, leaving leadership to wonder whether these efforts are truly making an impact.

The 2022 Gartner Cybersecurity Awareness Survey sheds light on adopting various core security awareness capabilities, revealing key trends and challenges in building effective, long-lasting programs.

High Adoption of Core Tactics: Building a Foundation for Cybersecurity Awareness

One key challenge that often emerges in security awareness programs is employee perception. As one employee might put it:

Addressing this perception is critical to ensuring program effectiveness. Many employees may view phishing tests as efforts to trick or shame them rather than as opportunities to learn. Addressing this perception is critical to ensuring program effectiveness. A thoughtful, empathetic approach can transform these exercises into empowering experiences for employees, fostering a culture of trust and collaboration.

Picture 1: Challenges in Measuring Security Awareness Effectiveness
Picture 1: Challenges in Measuring Security Awareness Effectiveness

According to the survey, organizations are increasingly relying on core security awareness tactics to address the growing threats of cyberattacks. These methods, which are widely adopted across industries, focus on equipping employees with the skills and knowledge necessary to identify and respond to security risks effectively. The most commonly used tactics include:

  • Phishing Simulations (93%): These simulations allow employees to experience realistic phishing scenarios, helping them recognize and respond to malicious attempts before they cause harm.
  • Training Modules (92%): Comprehensive and structured training programs provide employees with the foundational knowledge they need to understand and mitigate cybersecurity risks.

These high adoption rates highlight a strong focus on tactics that directly engage employees and provide practical, actionable learning experiences.

Moderate Use of Common Tactics: Enhancing Security Awareness Through Supplementary Strategies

In addition to core tactics, many organizations are leveraging supplementary tools to reinforce their programs. These tools aim to provide additional layers of communication and engagement, ensuring that employees remain consistently exposed to key cybersecurity messages. Examples include:

  • Emails (76%): Regular email communications keep employees informed about security policies, potential threats, and best practices.
  • Intranet Posts (65%): Company intranets serve as central hubs for sharing updates, reminders, and resources on cybersecurity.
  • Videos (64%): Short, engaging videos simplify complex topics and help maintain employees’ interest in cybersecurity training.
  • Newsletters (62%): Periodic newsletters provide a consistent stream of information to keep cybersecurity top of mind.

These common tactics ensure the security awareness message is repeated across multiple touchpoints, promoting consistency and reinforcement.

Lagging Adoption of Additional Tactics: Unlocking Untapped Potential for Cybersecurity Awareness

Despite their potential to significantly enhance engagement and overall program effectiveness, some tactics remain underutilized by organizations. These methods, while not as commonly adopted as core tactics, offer unique opportunities to foster creativity, collaboration, and deeper employee involvement in cybersecurity awareness efforts.

  • Quizzes (51%): These interactive assessments help measure employee understanding and retention of training content.
  • Executive Presentations (45%): Presentations led by leadership demonstrate the organization’s commitment to cybersecurity and align strategy across all levels.
  • Webinars (33%): These online seminars provide a platform for experts to share insights, enabling employees to learn in an interactive and engaging format. Despite their effectiveness, webinars are often underused due to time constraints and the perceived effort required to organize them.
  • Gamification (30%): By turning training into games, organizations can make learning fun and engaging. Gamification encourages healthy competition and improves retention, but adoption is limited by resource requirements and skepticism about its ROI.
  • Lunch & Learns (23%): These informal sessions combine training with a casual meal setting, fostering collaboration and open dialogue among employees. While impactful, they are frequently overlooked due to logistical challenges and scheduling conflicts.

Traditional Metrics: Measuring Success or Limiting Progress in Cybersecurity Awareness Programs

The survey highlights that many organizations still rely on basic metrics to evaluate the effectiveness of their cybersecurity awareness programs. These metrics are designed to measure specific aspects of program performance, offering a snapshot of how well employees are engaging with training and responding to simulated threats. Examples of these metrics include:

  • Global Fail Rate: Tracks how many employees fall for phishing simulations.
  • Global Report Rate: Measures how often employees report phishing attempts.
  • Global Completion Rate: Indicates the percentage of employees completing training modules.

While these metrics provide a snapshot of program participation and immediate outcomes, they fall short in assessing long-term behavior changes or real-world risk reduction. Organizations should consider incorporating metrics that reflect the true effectiveness of their programs in preventing security breaches.

Keepnet integrates Gartner’s recommended Security Behavior and Culture Program (SBCP) to help organizations achieve meaningful and measurable outcomes in their security awareness efforts. The program shifts the focus from mere participation to real behavioral changes and improved security postures.

Key benefits of this approach include:

  • Measuring Behavioral Change: Tracking how well employees internalize and apply security best practices in their day-to-day roles.
  • Cybersecurity Benefits: Demonstrating reduced incidents, quicker response times, and enhanced threat detection capabilities.
  • Business Outcomes: Quantifying tangible benefits like cost savings, risk mitigation, and improved operational resilience tailored to the organization’s needs.

The Road Ahead: Rethinking Security Awareness

The data reveals a pressing need for organizations to rethink their approach to security awareness programs. To achieve sustained success, organizations should consider the following:

  1. Integrate Behavior-Based Metrics: Move beyond traditional metrics to include measurements of employee behavior, such as responsiveness to simulated attacks and adherence to protocols.
  2. Leverage AI and Personalization: Use AI-driven insights to deliver customized training paths that address the unique risks associated with specific roles or departments.
  3. Expand Adoption of Additional Tactics: Experiment with innovative approaches like gamification and leadership-led initiatives to foster deeper engagement and cultural alignment.
  4. Focus on Cultural Transformation: Build a culture of shared responsibility where every employee feels invested in maintaining the organization’s security posture.

Conclusion

The Gartner survey underscores the gap between activity and outcomes in many security awareness programs. To bridge this gap, organizations must adopt strategic, data-driven, and human-focused methodologies. By doing so, they can ensure that their investments in security awareness translate into meaningful, lasting results, transforming these programs into pillars of organizational resilience.

SHARE ON

twitter
linkedin
facebook

Schedule your 30-minute demo now

You'll learn how to:
tickImplement tailored SBCP strategies to align with your organizational goals.
tickIntroduce advanced, AI-driven security awareness courses to boost engagement and effectiveness.
tickMeasure and demonstrate both cybersecurity and business benefits through outcome-driven metrics.