Brian Pennington

A blog about Cyber Security & Compliance


security training

Professional Security Training is substantially better than PowerPoint or Handouts

Ponemon Institute conducted an experimental study on how participants of a Digital Defense training program experienced substantially higher learning gains when compared to results of a placebo group.

The experiment was conducted in seven participating companies and involved 277 employees, all office workers with routine and regular access to IT services. Approximately half of the participants completed two of three separate SecurED models the other half were asked to read three PowerPoint presentations containing identical content on data security. Both groups completed three quizzes. The first quiz provided a baseline level of knowledge for each subject. The second quiz measured immediate learning after completing the SecurED module or PowerPoint script. The third and final quiz was used to measure each subject’s learning gain about 2 to 3 weeks after the training experiment.

The learning gains for both groups were measured as the difference or net change in quiz results from the baseline reading. In addition to measuring participants’ learning, we asked questions about the importance and relevance of data security training in their workplace.

How learning is improved

SecurED out performs the alternative training intervention, termed placebo. All three SecurED training modules tested in this study held consistently positive results. For instance, with respect to quiz performance, subjects on average scored above an 80% correct response rate.

Results of this study

  • The average subject’s long-term learning gain was a 60% increase from baseline
  • Only 5% showed a decline or “tone down” after 2 or 3 weeks
  • The long-term learning gain for the placebo group was a 15% increase from baseline, and a 20% tone down over 2 to 3 weeks

The following are findings related to staff level, age, function and gender.

  • Staff and associate level employees experienced a higher learning gain than director and VP level employees (70% versus 40%).
  • Employees between 26 to 35 years had the highest learning gain at nearly 75%, while older subjects between 56 to 65 years experiencing an average learning gain at about 30%.
  • Employees in customer services and IT have the highest learning gains at 80 and 70%, respectively. In contrast, respondents in legal and general management have a much lower learning gain at 20 and 30%, respectively
  • Female employees experienced a higher long-term learning gain than their male counterparts (e.g., 65 versus 55%).

Perceptions about security training

Relevancy of training

Debriefings of subjects revealed 72% perceive SecurED as relevant to their present job functions. In addition, 88% of subjects perceive SecurED as enjoyable and worthwhile.

Availability of training

Subjects experiencing SecurED appeared to hold a stronger belief that training on data protection and information security should be made available to all employees, including high-level executives. However, 58 of subjects experiencing SecurED and 65 in the placebo group believe security training should be optional (not mandatory).

Deployment of training

A majority of subjects believe security training should be rolled out top down rather than bottom up. In other words, senior executives taking the time to do security training is helpful in demonstrating the importance of information risk management to rank-and-file employees.

Concluding thoughts

Subjects experiencing SecurED are more likely to believe training will positively impact employee behaviour with respect to more cautious handling of data assets and endpoint devices. We believe training effectiveness should be an essential activity for all organizations due to an increase in privacy and security risks resulting from employee negligence, cyber attacks and insecure devices and platforms.

To illustrate this growing risk, another recent Ponemon study found office workers (employees) are not taking appropriate steps to protect computing devices or company’s information assets. Specifically, 53% said the sharing of business information does not negatively impact or harm the company. 51% said the company has policies that are not strictly enforced and 68% said their organization does not take steps to ensure employees do not wrongfully obtain and misuse competitive information.

Many companies are also failing to keep employees’ access privileges in check. While 51% say their access privileges appropriately match what they need to do in their job, 29% say they allow them to see data that is unnecessary to their work.

According to IT security practitioners, the number one most serious challenge to addressing insider fraud is raising employee awareness. Despite its importance, however, research finds less than half of U.S. companies provide formal security training for their employees, even for those who have privileged access to highly sensitive or confidential data.

Taken together, recent research findings demonstrate employee indifference to the loss or misuse of business information or the theft of mobile devices (such as laptops, tablets and smart phones). In short, they fail to understand the importance of personal accountability in order to achieve and maintain a secure workplace.

Combating Cybercrime to Protect Organisations

PWC have released their annual Cybercrime report, “Cybercrime: protecting against the growing threat – Global Economic Crime Survey“, and as usual it makes very scary reading.

The report shows that crime is up and those organisations have been slow to react to the threats. Threats that were highlighted in previous reports.

Organisations of all sizes need to improve their abilities to protect their sensitive data and the report focuses on several area that need addressing, for example awareness of the threats in senior management and training for employees in how to spot crime and how to take the appropriate steps to react to the incident (Incident Response Planning…).

There needs to be adequate protection in the form of technology, procedures and policies for the proposed awareness and training to be effective and efficient.

The report is based upon 3,877 respondents from organisations in 78 countries. The scale of the survey has provided a global picture of economic crime.

The key findings of the report are shown in full, with the remainder of the post focusing on the statistics shown in the report.

Key Findings from the PWC “Cybercrime: protecting against the growing threat” report

Our sixth report paints a dramatic picture of UK organisations still struggling in the face of severe austerity cuts.

Economic crime has risen by 8 percentage points since our 2009 survey, with over half of respondents reporting at least one instance of economic crime in the last 12 months. Even more concerning for Senior executives was the fact that 24% of respondents reported more than ten incidents in the last 12 months.

Our findings suggest that the combination of rising economic crime in the UK, and widespread austerity cuts that limit the resources available to focus on economic crime, has made today’s business environment altogether more difficult and risky.

Cybercrime has become the third most common type of economic crime, whilst levels of ‘conventional’ economic crime have fallen (asset misappropriation has fallen by 8 percentage points since 2009, and accounting fraud by 5 percentage points in the same period). So we think organisations need to take a fresh look at how they deal with fraud.

Cybercrime now regularly attracts the attention of politicians and the media, and should be a concern to business leaders as well. Our survey gave respondents their first direct opportunity to highlight cybercrime as one of the main economic crimes they had experienced, and over a quarter of those who had reported economic crime in the last 12 months did so. The largest number of these were from the financial services sector.

Our survey shows that organisations need to be clear about exactly what cybercrime is, and who is responsible for managing it.

Economic crime perpetrated externally has increased and fraud carried out by employees within the organisation is declining.

Statistics extracted from the report

  • 47% of respondents said the cybercrime threats have increased over the last 12 months
  • 84% of respondents who identified an economic crime had carried out at least one fraud risk assessment in the last 12 months
  • 19% of UK respondents didn’t perform a fraud risk assessment in the last 12 months. This is a much lower figure compared with the global 29% of respondents
  • Over half of UK respondents reported economic crime in the last 12 months, compared with 34% globally
  • 51% of respondents experienced fraud in the last 12 months (UK)
  • 26% of those who experienced an economic crime in the last 12 months reported a cybercrime
  • 48% of respondents felt that responsibility for detecting and preventing cybercrime falls to the Chief Information Officer, the Technology Director or the Chief Security Officer
  • 66% of respondents said they had reported a cybercrime incident to law enforcement, compared with 76% of those who experienced economic crime
  • 54% of respondents representing organisations with offices in more than 20 countries saw an increased risk from cybercrime in the last 12 months. 35% of respondents representing organisations based just in the UK perceived a similar rise

Cybercrime awareness

  • The most effective way to raise cyber security awareness is through face-to-face training. In spite of this, only 24% of UK respondents received this type of training
  • 33% see cyber security as the responsibility of the Chief Executive Officer and the Board, the global figure is 21%
  • One in five respondents said the CEO and the Board only review these risks on an ad hoc basis

Response to cyber crime

  • 16% of UK respondents said their organisation has in place all five of the measures specified in the survey, compared with 12% of global respondents – see the link to the full report below.
  • 83% were concerned about reputational damage
  • 57% of respondents representing UK organisations have a media and public relations plan in place. The global response was 44%
  • 28% of respondents said they didn’t have any access to forensic technology investigators

Profile of the internal fraudster

  • male
  • aged between 31 and 40
  • employed with the organisation for between three and five years
  • educated to high school and not degree level

Top 5 departments perceived to present the biggest cybercrime risk

UK  Global
1. Information technology 52 53
2. Operations 42 39
3. Sales and marketing 36 34
4. Finance 37 32
5. Physical/Information security 22 25

Find the full report here.


Create a free website or blog at

Up ↑

%d bloggers like this: