The one-dimensional and outdated cyber security awareness learning provided by most UK organisations is not 'fit for purpose' and is limiting employees' ability to understand what good cyber behaviours look like, according to research * from AXELOS.
The approach also does little to create, embed and sustain the behaviour change required in organisations to respond better to cyber attacks. While 82% of organisations are using traditional, computer-based training and e-learning, less than a third are deploying some of the latest learning techniques that offer more immersive and engaging learning for staff.
The research commissioned by AXELOS and conducted by Ipsos MORI shows that three information security learning methods dominate more than half of UK workplaces: computer-based training/e-learning, face-to-face and video instruction. New proven learning techniques are being adopted by a comparatively small proportion of organisations. For example:
Compounding the problem, fewer than half (46%) of executives responsible for information security training in UK organisations with more than 500 employees provide ongoing information security awareness training beyond new staff induction or annual, e-learning refresher courses.
Nick Wilding, head of cyber resilience best practice at AXELOS, said: 'Organisations are still trusting in their annual, cyber awareness e-learning. To expect this approach to influence resilient behaviours is unrealistic. Typically, this one-off course--required once, designed once, delivered once and completed once--is also forgotten at once.
'It risks leaving staff ill-prepared and unaware of the practical things they can do more effectively to manage the daily risks they face. We need a new approach: just as technical controls will evolve and adapt in response to changing threats and vulnerabilities so we need to ensure all our people receive practical and engaging advice and refresher learning on a regular basis throughout the year.'
Wilding said that despite the almost universal belief (99%) among senior managers that information security awareness training is important to...