Moving the needle on cybersecurity awareness training

Cybersecurity awareness training helps protect the critical infrastructure of our institutions. Raising awareness for administrators, educators, and students of the sophisticated tactics used by criminals invalidates them. Users who know reporting procedures positively impacts response time. Better understanding of standards improves policy adoption. Completion of cybersecurity awareness training also ties directly to the insurability of an institution. In nearly all cases increasing completion of training is a win-win as safer practices protect users and the institution.

What threshold of compliance is enough?

In recent discussions among the CIOs, currently we are seeing that level of cybersecurity awareness training on campus for staff and faculty varies, with the top level of compliance hovering around the 80% mark. The numbers by institution have been consistent over the past several cycles and now there is a push to gain the wins of having increased completion of training by students, faculty and staff at all institutions. That push is coming from a place of concern for all the reasons mentioned above - protecting people and information. How do you define successful compliance? What is your target set at? 80%? 100%? What broad strategies will you undertake to move the needle towards success?

PATH 1: The STICK

Some may reach for the stick or banhammer. If a member of the institution does not complete training, remove their access. Going down this path has its advantageous, but its outcomes should be considered. It will gain a rapid uptick in completion of the training. By definition 100% of active users will have completed the cybersecurity awareness training because it is required to be a user. But, who owns the decision to end access? IT can pull the plug but if ownership of that decision is entirely within IT, but IT runs the risk of being perceived as a faceless goon that has stolen your ability to work and now their asking you to complete a training course to get it back? Users will complete the training and gain a continued resentment for forced compliance.

PATH 2: The CARROT

Others will try to demonstrate the value of cybersecurity awareness training. Reaching out with demonstrations benefits, easy-of-compliance, and explanation. Going down this path has its positive elements but its outcomes should be considered. Evidence in our conversation suggests that there is an upper limit to voluntary adoption of training that hovers around 80%. Exceeding that threshold is likely to have an exponential cost curve that may limit itself well before 100% of the users are trained. This creates a multi-dimensional balance point that needs to weigh risks and costs. It is a decision that ultimately needs the endorsement from the highest levels of the institution. Is there an unlimited budget to go out and find those last few users?

Path 3: creative approaches

Some institutions have had success using carrots or sticks. Others have seen results using more unconventional or creative approaches. For example, some might offer levels of certification, breaking the training into more manageable sized chunks and get attestations in writing at each stage. Or, they might take the competitive approach by sharing dashboards (e.g. multi-factor authentication rollout by department) to university leadership and make an example of those that are compliant and those that are lagging behind, as seeing where you are in relation to others creates action.

Summary

Many institutions blend approaches when it comes to staff and faculty training, obtaining the camaraderie of voluntary compliance while needing the guarantees of forced adoption. In the absence of legislative or regulatory backing, it makes it challenging to move the needle.

We might not all agree on the approach, but we can all agree on the importance of cybersecurity awareness training.