skip to main content
4.7/5
Customers rate us on G2
See our reviews on G2.

A trainer’s take: “Training alone won’t change behaviours” 

CategoryInsights
John Scott, Lead Cyber Security Researcher
ByJohn Scott
Date
Read time

I've spent over 35 years as a trainer in various capacities, so it might surprise you to hear me say that training alone isn't enough to change behaviours—particularly when it comes to security. This isn't just my opinion; it's a conclusion from our State of Human Risk Management in 2024 Report. 

To understand why training isn't the full solution, we need to delve into the field of human error. Mistakes—errors caused by wrongly applied knowledge—can often be corrected with training. For instance, if I'm unaware of what a phishing email looks like, training can enlighten me. However, even people who are well-trained, me included, occasionally fall for phishing attempts. Why? 

Oops! When training trips on slips and lapses 

Professor James Reason says it's because of slips and lapses. Slips are perceptual errors—like not noticing a misspelled URL such as g00gle.com instead of google.com. These errors occur when our attention is diverted or when we're operating on autopilot without fully engaging our cognitive resources. They are often linked to distractions or multitasking environments, where the brain's finite attention is split among various tasks, leading to oversights. 

Lapses, on the other hand, are procedural errors—forgetting a step in a process. For example, I might rush at the end of the day and neglect to scrutinise a URL before clicking. Lapses often occur due to memory failures or when routines are disrupted, leading to omissions in expected sequences. They can be exacerbated by fatigue, stress, and time pressure, which impair our memory and decision-making abilities. 

Moreover, training does not effectively prevent violations—deliberate deviations from prescribed processes or rules. Sometimes individuals knowingly bypass protocols due to pressure to meet deadlines, perceived inefficiency in the system, or a false sense of security. These violations aren't the result of a lack of training but rather a conscious choice to ignore what has been taught. 

All the above highlight the limits of training as a standalone solution. While it can increase awareness and preparedness, it cannot remove the inherent vulnerabilities in human thinking. So, how can we address human error effectively? 

Building a resilient ecosystem 

Ultimately, fostering security behaviours involves more than just training; it requires building an ecosystem that supports resilience. This includes investing in the right tools, creating clear policies, and ensuring leadership is aligned with security objectives. By addressing the human element comprehensively and leveraging technology, organisations can build a security framework that is adaptive and responsive to the ever-evolving landscape of threats. 

A new framework: Monitor, Reduce, Fix 

When it comes to quantifying and tackling human risk, we propose the Monitor, Reduce, Fix framework: 

  • Monitor: Measure and track actual human behaviours, beyond just phishing attempts. This includes SaaS usage, password sharing and reuse, and GenAI use—all the risks that modern businesses face. 

  • Reduce: Provide in the moment coaching to individuals who require guidance. This immediate support helps prevent the recurrence of risky behaviours. 

  • Fix: Identify a problem and take action to resolve it. Whether through automatic interventions, or nudges that motivate change within employees, it's crucial to address these issues promptly. You must fix that dripping tap!