The Security Awareness Training Industry as a whole has seen some innovation over the last 20 years, but not much. Helping individuals recognize social engineering before it turns into a security breach has started and stopped at monthly assessments and training videos. Usually in the form of phishing training and short videos followed by quizzes. There has been some iteration on these ideas for the last 2 decades, but overall, not much has changed from when businesses started to recognize phishing as a security threat in the mid 90s. The phishing exercises have become more realistic, the training content has been polished up, delivery to the employees has become more streamlined, but nothing much has entered the arena above and beyond better videos and assessments.
The missing piece that is needed to create a recognizable reduction in risk is a concept called Human Vulnerability Management. Human Vulnerability Management is about scraping away videos, “posters in the bathroom” and amazon phishing tests and getting down to what vulnerabilities exist in human beings. Human vulnerability management means actual changing people behavior. This change in behavior, once measured, can be used to provide additional behavioral assessments that will continue to address an individuals risky behavior, change it, and create a real reduction in risk
This post was written by goots