Security Training. PHOTO: Cybercrime Magazine.

Security Awareness Training Market To Hit $10 Billion Annually By 2027

SACBT solutions are a major growth driver. Sponsored by KnowBe4

David Braue

Melbourne, Australia – Apr. 19, 2022

SECURITY AWARENESS TRAINING REPORT

It was back in 2010 that Janet Roberts was approached by a security executive with what seemed like a surprising request: would she help her employer, Zurich Insurance Company Ltd, design a formal security awareness program designed to educate its employees about the importance of cybersecurity?

Knowing nothing about cybersecurity or security awareness programs, Roberts — a former paralegal, media relations professional, and self-described “lifetime learner” who was working in internal communications within the company — professed her ignorance of cybersecurity, which at that time was still a niche concern relegated to the dark corners of the IT department.

“I responded that ‘I don’t know what that is, and are you sure you want me?’” she recounted to a recent SANS Institute International Women’s Day webinar.

The response was an epiphany: “‘I can’t teach the male technical people to speak to the employees in a way that they’ll listen and take action. I think I can teach you as much security as you need — and I need you to communicate,’” she recalled him saying.

Twelve years and three cybersecurity awareness training program builds later, the suggestion turned out to be a perfect fit for Roberts — who now works as the company’s global head of security education and awareness, managing security education campaigns for the major global insurer’s 55,000 employees.

“It has been a fascinating and wonderful career,” she said, “and I still love doing it every day.”

Security awareness training has become more important than ever amidst an ongoing surge of cybercrime attacks — which exploded in 2021 on the back of a surge in ransomware, and continues spiking in response to major world events like the Olympics and Russia’s invasion of Ukraine — that has kept the risk of employee compromise concerningly high.



As every security executive knows, it only takes one of those employees to click on a malicious link for the entire company to be jeopardized — and as every business executive has rapidly learned in recent years, preventing that from happening has become both a key security goal and an increasingly important governance requirement.

The fast-growing market for what Gartner has dubbed security awareness computer-based training (SACBT) solutions has expanded to support this need, with a host of innovative contenders emerging as companies embrace security awareness training in the same way they conduct fire safety training, workplace safety training, diversity training, first aid training, company values training, and so on.

SACBT platforms insulate companies’ increasingly data-based operations from the risks of the human element — something that, recent Ponemon Institute research found, has imposed a growing cost on companies whose lack of secure practice is causing their employers major financial losses.

Fully 56 percent of 3,807 analyzed cybersecurity attacks were caused by negligence by an employee or contractor, Ponemon found, costing $484,931 per incident on average — and with two-thirds of companies reporting between 21 and 40 incidents per year, the financial losses quickly add up.

With flexible-work mandates set to keep many employees away from the office for large portions of their time, SACBT has become a critical way of keeping those workers in the cybersecurity loop — providing personalized, relevant training when and where it’s needed.

Little wonder that companies are embracing SACBT — driving demand that will, Cybersecurity Ventures predicts, push the overall market for security awareness training products and services (not just SACBT) to be worth $10 billion annually by 2027.

SACBT providers have been repositioning themselves to benefit from that growth, with a series of mergers several years ago adding bulk to industry competitors that typically started with one particular focus, then expanded their offerings based on demand from increasingly sophisticated customers.

Investors have also jumped aboard, with firms like SecurityAdvisor and NINJIO closing healthy funding rounds.

Much more than a written manual

Strong adoption of SACBT solutions has followed a period of trial and error for the industry, which has struggled with the notoriously short retention periods from conventional classroom and episodic computer-based training.

Just like training in other areas, employees tune out of cybersecurity training and eventually revert to old habits — typically, one USENIX Association study found, around four months after their last cybersecurity training.

This means that companies should ideally be retraining their employees in cybersecurity best practice every six months on the outside, the researchers recommended, also noting that training based on videos and interactive examples were most effective.

Designers of SACBT solutions have taken this and similar research into consideration, expanding what used to be relatively static content into continuous training platforms.

These platforms typically incorporate a learning management system (LMS) to track which modules each employee has completed and when, as well as to choose relevant training modules to convey required skills in a way that will best suit each employee’s observed strengths and deficiencies.

KnowBe4, for example, offers an extensive library of training content and manages simulated phishing tests that trigger remedial training to ensure that workers’ cybersecurity knowledge stays fresh over time.

Benchmarking has demonstrated how well SACBT platforms can improve employees’ awareness of cybersecurity threats.

In one long-term study, for example, a baseline cohort of which 31.4 percent of users were prone to phishing attacks was given regular awareness training and tested monthly to see how susceptible they were to attacks.

During a three-month training period, the susceptibility score fell to 16.4 percent — and by the time 12 months had passed, this had dropped to just 4.8 percent of users.

Regular reinforcement of training, then, enables security managers to consolidate the very significant improvements that SACBT platforms provide.

And, because they track each user’s progress and phishing susceptibility individually, the platforms can build individualized learning plans that concentrate additional training on the users that need it the most — including executives, who must be particularly targeted for cybersecurity awareness training.

A responsive, agile awareness training program not only ensures that employees are meeting cybersecurity training objectives, but allows the addition of relevant training to minimize exposure to major new vulnerabilities, like the recent Log4J or Access:7, that can pose existential risks to business survival.

User engagement up front, security governance out back

SACBT tools should be rolled out as part of a broader program of employee and executive awareness, couched within cybersecurity risk remediation programs that inevitably include integration with a range of other business-management activities.

Yet for most employees, the most immediate concern in the choice of SACBT platform is that it be engaging — a key design requirement that can make the difference between awareness training success and failure.

Recognizing employees’ increasing lack of time, cybersecurity training has evolved from ponderous, hours-long workshops that leave employees yawning, into bite-sized videos, episodic series, podcasts, or interventions that direct users to a quick training exercise immediately after they click on a malicious link that is blocked by back-end content scanners.

While each vendor’s approach and content differ slightly, user reviews offer strong guidance as to which are likely to be most accepted by users: fully 92 percent of users said they would be willing to recommend KnowBe4’s SACBT platform to others, according to the most recent Gartner Peer Insights ‘Voice of the Customer’ analysis.

In the longer term, however, SACBT platforms will increasingly become part of a broader ecosystem of security governance in which regular metrics are illuminating deficiencies in companies’ cybersecurity postures.

Just as Roberts found her calling by translating technical cybersecurity concepts into communicable security programs, today’s SACBT programs will be most useful as part of broader efforts to quantify, track, and improve security capabilities through targeted training and technical remediation.

Risk-averse companies should consider ways of integrating SACBT solutions with tools measuring users’ security competence — Empired, for example, recently launched an Empired User Score tool that tracks each employee’s tendency to risky behavior, while KnowBe4’s Security Culture Maturity Model evaluates a company’s security culture against a series of benchmarks — and tools like SecurityScorecard, which measures infrastructure and operational risk.

It may be impossible to completely eliminate human error, but risk-aware companies now understand how important it is to try.

With the right SACBT platform as part of a broader risk portfolio encompassed in what Gartner calls a security behavior and culture program (SBCP), businesses can stem exposure to human error — and keep everybody in the organization reading from the same hymnal when it comes to cybersecurity.

“Human error continues to be a factor in many breaches,” Gartner noted in a recent assessment of the top security trends for 2022, “demonstrating that traditional approaches to security awareness training are ineffective.”

“Progressive organizations are investing in holistic SBCPs, rather than outdated compliance-centric security awareness campaigns. “An SBCP focuses on fostering new ways of thinking and embedding new behavior with the intent to provoke more secure ways of working across the organization.”

Lightning Strikes

When top security leaders and vendors sing from the same playbook, that is the type of alignment we need to ignite innovation. We saw that in action, at the SANS Security Awareness Summit 2021, where Zurich’s Roberts, and Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4, gave lighting talks at the free global virtual event for thousands in our community. Graphic recordings of Roberts and Carpenter alongside other experts are still accessible from SANS.

In her talk, Roberts offered some interesting tips on how to align with your leader, including an elevator pitch. Carpenter spoke on how to roll your own pro-level content on the cheap. Everyone is a publisher, if you listen to him.

The SANS event also featured presentations by experts at Accenture, NIST, Royal Bank of Canada, Salesforce, Siemens, Stanford University, Verizon, and others.

If you missed the 2021 event, then you can plan to be at the SANS Security Awareness Summit 2022, in-person (Austin, Texas) or virtual.

What will you learn and do differently in 2022? That is the big question for security leaders.

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.


Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.