Synopsis
OutThink trains about four million learners across the world, comprising around 100 million interaction datapoints. This data sits in a complex data layer inside the platform and drives benchmarking inside the product. The Research Labs team wrangled up a set of data points from this repository to do an industry-wide analysis of CHRM trends, benchmarks and learnings. We are all about leveraging that adaptive security awareness training and phishing simulation interaction to learn from the people getting trained. And to pass those learnings right back to the security team.
The Behavioral Segmentation Grid
Almost half of learners can benefit from just a few targeted content nudges to become security champions! Over 24% of learners can collaborate with Security to change behavior and culture across the company.
As Marius Olivier, Head of Cybersecurity HRM at Emirates Group explains, “You can’t treat all learners the same way!”
Engagement is a Journey
Most learners have become conditioned to bad, irrelevant and boring awareness training. They typically race through it until the bitter end. Engagement is a key metric to track for ensuring that actual learning is taking place, not just completions.
Because people come into OutThink with such low expectations of adaptive security awareness training, at the outset engagement might be low, and will increase as adaptive training becomes the norm in the organization.
Not every learner is equally engaged. The key is to measure engagement and look for patterns in the data that show which departments, roles, or content modules underperform, so as to formulate a tailored strategy to bring up all pockets of engagement.
Security-Business Alignment, On the Ground
Why We Click on Simulated Phishing Emails
When offered the chance to explain why they clicked on a phishing simulation, the most common reasons given are related to the identity of the sender.
Despite sender identity being a core element of cybersecurity advice and best practice, 82% of reporting compromised learners say they did not make elementary efforts to verify the sender of the message.
Curiosity is another key driver leading learners to compromise themselves. 10% of learners cite the fact that they “did not expect the email” as the only reason they clicked. Contrary to the received opinion among cybersecurity professionals, for some users’ novelty and unfamiliarity are not warning signs but rather tempting reasons to explore further.
