Security Awareness Programs & Computer-Based Training , Training & Security Leadership , Video

Why Do Cybersecurity Awareness Programs Often Fail?

Security Awareness Expert John Scott on Adapting Tech and Process
John Scott, lead cybersecurity researcher, Culture AI

Many security awareness training programs fail because organizations don't understand the risks they face, said John Scott, lead cybersecurity researcher at Culture AI. He said a successful training program "will help people by making sure that it's targeting the behaviors that address the key risks for the organization."

See Also: The State of Enterprise Mobile App Security 2023: Results Analysis

Scott runs Culture AI's internal security awareness program, which focuses on "human risk management." That means intervening at just the right moment with a "security nudge" to help employees understand when they've done something wrong.

Scott said we should move away from "blaming" humans because error is inevitable. "If you see a pattern of spikes in a particular area, go find out why. Don't go in with your feet first - shouting and telling people off - because there may be a legitimate reason," he said.

In this video interview with Information Security Media Group, Scott discussed:

  • Why traditional security awareness training programs are not working;
  • Understanding human behavior and when to apply a "security nudge";
  • Practical steps security leaders and teams should consider when applying the "nudge theory" to security programs.

In his role at Culture AI, Scott focuses on human behavioral data and risk management. He previously worked in a senior security transformation role at BT and was head of security education for the Bank of England for nearly seven years, running an internationally recognized culture change program for the U.K.’s central bank. He also serves as an instructor for the SANS Institute, teaching classes worldwide on managing human risk. He is a frequent international speaker on security culture, and his key passion is the need for security to be a champion of all colleagues, rather than just being the "department of no."

About the Author

Anna Delaney

Anna Delaney

Director, Productions, ISMG

An experienced broadcast journalist, Delaney conducts interviews with senior cybersecurity leaders around the world. Previously, she was editor-in-chief of the website for The European Information Security Summit, or TEISS. Earlier, she worked at Levant TV and Resonance FM and served as a researcher at the BBC and ITV in their documentary and factual TV departments.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.