Why Use Security Awareness Training When 90% Is Forgotten Within 1 Week?
"50% of information is forgotten within 1 hour.
70% within 1 day.
90% within 1 week."
The last time I heard this was from Lucy Craddock. She was on stage at Cloudcamp #38 in November 2019. Clearly nervous and clearly trying to diminish what she was about to say...
But - 29 months later. Why am I still thinking about her words?
Because what she said was profound. Not social media profound, but actually profound.
Why are women disproportionally injured in car accidents?
She offered one possible answer:
- The EU has only run 1 crash test... with the female dummy in the passenger seat... and the female dummy was actually a smaller version of a male dummy.
- The US started testing in 2011... but uses a 110lb dummy that doubles as both a 12-year old child ...and a woman.
This is clearly wrong.
It must be addressed.
That question created an internal trigger that causes me to think about Lucy and her presentation regularly.
90% of people may forget within 1 week.
But what about the people who remember?
And the smaller group who create internal triggers?
These are the people that create the foundation of your security culture.
Security awareness training is about creating triggers. To cause people to "feel something isn't quite right".
It is not necessary to remember every rule and policy detail. Instead, it's essential to cause people to pause and feel.
That's why security awareness training is so valuable.
Keeping on Top of the Most Common Threats
The cyber threats you see in the news are rarely the ones your business faces each day.
There are, of course, certain exceptions like Log4Shell, which create lots of news attention and a genuine concern for most businesses. But, the more often reported advanced, complex and "top 1%" attacks - on the likes of Microsoft, Okta, and Nvidia - are interesting for their scope and scale. Not because most mid-sized businesses will experience them.
The cost of a targeted attack on these large enterprises is enormous. Simply, there isn't enough return to consider targeting a mid-sized business in the same way.
However, as the UK's NCSC advice "Vulnerability Scanning: Keeping on top of the most common threats" points out:
"Attackers routinely use automated tools to scan for exploitable vulnerabilities. There's no reason why we cannot also benefit from performing the same activities"
Building a solid foundation and scanning for vulnerabilities means the most common, routine cyber threats are considered.
These are the common, time-wasting attacks that are a nuisance rather than a nation-state actor. And the ones that will impact you.
While it is always interesting to observe the 1%, it is essential to mitigate the routine 99%.