Security Awareness: 5 Creative Ways to Train Employees on Cybersecurity

Security awareness in the workplace takes effective training

Fifteen years ago, the No. 1 problem plaguing corporate email inboxes was spam, which bogged down users but wasn’t typically malicious. A lot has changed since then: Today, hackers and cyber criminals are using all types of social engineering tactics to launch attacks through email, including some clever phishing and highly sophisticated spear phishing campaigns. According to a recent threat landscape survey conducted by the SANS Institute, 74 percent of all security threats originate as email phishing attacks.

Despite the enormous investment that companies have made in recent years to shore up their cybersecurity defenses, often times the only thing that stands between the organization and a full-blown cyber attack is whether or not an employee clicks on a malicious link or downloads malware to their device.

When it comes to phishing and spear phishing, the best defense against these attacks is a strong offense. Organizations have a responsibility to train their employees to be more aware of email security threats and, in doing so, transform them from email security victims into email security defenders who can proactively detect and report email security breaches before they can cause any serious damage.

However, getting employees to engage in effective anti-phishing training requires more than just having them attend a few traditional classroom-style training sessions. Here are five alternative methods for email security awareness training that can dramatically reduce the risk of any organization being victimized by potential damaging phishing attacks.

Relevance to Employees’ Departments and Roles

An effective anti-phishing training program should take on a form that reflects the way employees actually send, receive and react to emails on a day-to-day basis. Programs administrators should craft familiar-looking email templates, landing pages and terminology that “blend in” with other email traffic and do not readily stand out as being too obvious or suspicious-looking. Training materials can also be personalized based on an employee’s department or job function.

Unscheduled Simulation Campaigns

The element of surprise is critical when it comes to honing employees’ email security awareness skills. Studies have shown that unscheduled phishing simulation campaigns are far more effective than pre-scheduled campaigns when it comes to email security awareness. That’s why it’s important to not give advance notice to employees when running phishing simulation campaigns. This requires employees to constantly stay on their toes and maintain a high level of threat alertness at all times. Hackers don’t announce when they plan to launching a phishing attack, and neither should you.

What NOT to do: Giving advance notice, as the calendar above illustrates, makes phishing simulations far less effective.

Computer-based Training (CBT)

Formal email security training can’t always be scheduled at the same time for everyone, especially if you are a multinational organization with offices in different time zones. The most effective training programs offer a large library of computer-based training (CBT) content, preferably in video format, that employees can study, review and be tested on at their own pace. The CBT content library should be updated regularly to reflect the latest threats, which will help keep employees continuously focused on learning new material and highly engaged.

Examples of phishing awareness CBT videos

Gamification and Rewards

One of the biggest hurdles for security awareness training programs is getting employees to dedicate their time and attention to it. If they are not interested in succeeding or improving, the training will be nothing more than a waste of time. Any kind of training program, security awareness or otherwise, needs to give the trainees an incentive to participate and excel.

Gamification makes security awareness training fun and engaging by turning the workflow into a game with leaderboards and user leveling systems. This will help train users to spot and report threats while keeping the idea of spear-phishing at the forefront of their mind.

One method of gamification that receives good acceptance within a variety of different organizations is risk-based scoring.

Generally, negative points are assigned to unsafe actions such as:

  • Clicking on a link.
  • Filling out a web form.
  • Replying to an email or text message.
  • Disclosing too much information in Out of Office messages.
  • Calling an unknown phone number in an email.
  • Opening an attachment.
  • Plugging an unknown USB device into a computer.

In a similar manner, positive points are assigned to positive actions:

  • Completing a training session.
  • Reporting a suspicious email using the correct channel.
  • Hanging up a phone call before disclosing sensitive information.

Trainers use these metrics to look at the results of individual training campaigns. Higher participation rates can directly result in a lower risk of successful phishing attacks against the organization. Individuals and departments can be offered recognition or prizes to increase participation.

Once an organization sets point values for positive and negative actions, risk-based scores can be compared to internal and external benchmarks to measure continuous improvement over time.

Gamification and rewards programs encourage healthy competition among departments and keeps employees on the path of continuous improvement.

Continuous Performance Improvement

Many security awareness training programs use “click rate” as the primary success metric—the lower the rate, the more effective the training. However, a low click rate can be easily achieved through “exhaustion campaigns,” which teach users to recognize a very specific type of phishing email through repeated exposure to it, not how to critically evaluate emails for potential phishing attempts. This can be a dangerous approach because it creates an illusion of better security awareness.

An excellent alternative to the click rate metric is levelized training, which serves increasingly challenging content to the employee as they progress through the program. In a simple click rate program, the employee is often dropped after a predetermined number of successful simulations so that the simulations can focus on the users who need additional training. Levelized training programs keep the employee engaged throughout the life of the program by continuously “upping the ante” and challenging employees to continuously improve their phishing awareness levels.


As phishing attacks have grown stealthier and more sophisticated, oftentimes the only thing that stands between an organization and a full-blown security breach is whether or not an employee clicks on a malicious link. In such a high-stakes business environment, educated employees are a critical line of defense. The more interesting and challenging organizations can make their security awareness training through relevance, surprise, compelling content, gamification and continuous improvement, the more effective their defenses will be.

Mike Vizzi

Avatar photo

Mike Vizzi

Mike Vizzi is the Senior Product Marketing Manager for Barracuda’s PhishLine email protection product line. Mike has an extensive background marketing SaaS-based solution for the SMB and Enterprise markets as well as data offload, M2M and IoT products for wireless carriers and automotive OEMs. Mike holds a BA from Northeastern University and an MBA from Suffolk University.

mike-vizzi has 1 posts and counting.See all posts by mike-vizzi