Every January, the inbox of an average office worker receives an email from "HR & Compliance". The email says that the annual mandatory security awareness training is available again and that he must complete it within 30 days. The link goes to a platform from an American vendor whose name he doesn't recognise. The platform has a slogan like "Human Firewall" or "Build Your Cybersecurity Culture". The training consists of about nine modules of five to ten minutes each. Every module ends with a multiple-choice question. If you answer all questions correctly, you get a certificate.
Security awareness theatre: why training your people doesn't work
Premium member benefits
Enjoyed this essay? There are more where it came from.
Members get the complete premium library — templates, runbooks, threat briefings and long-form essays — plus one free premium assessment every month.