Information security training: investment or false hope?

Imagine an e-commerce company with annual sales of $20 million having its operations interrupted for 72 hours by a phishing e-mail.

Training – Photo by Gastro Editorial on Unsplash

An employee unwittingly clicked on a malicious link, giving access to sensitive data and resulting in a loss of $2 million, including the cost of restoring security and regaining customer confidence.

This may sound like a dramatic scenario, but it’s the reality that many organizations face on a daily basis.

In 2023, a study by IBM Security revealed that 95% of security breaches are caused by human error. Source : https://www.ibm.com/security/data-breach

The question is simple: can employee training really reduce these risks, and if so, by how much?

Figures that prove the effectiveness of our training courses

The statistics speak for themselves:

A study by Proofpoint shows that phishing awareness training leads to an 85% reduction in incidents. Source : https://www.proofpoint.com/us/resources/white-papers/annual-human-factor-report
According to Verizon, companies with active training programs reduce inadequate responses to cyber attacks by 70%. Source : https://www.verizon.com/business/resources/reports/dbir/
IBM Security’s Cost of Breaches 2023 Report shows that organizations with structured training initiatives save an average of $1 million per breach prevented. Source : https://www.ibm.com/security/data-breach

For example, a US-based financial company recorded a 40% drop in phishing incidents after implementing quarterly training.

These results are due to the quality of the content and realistic practical exercises, which enable employees to better understand the consequences of their actions.

Another example is that of a large European company which, after carrying out targeted simulation tests and training at regular intervals, saw a 60% improvement in the detection rate of suspicious e-mails by its employees.

These significant gains show that a structured, repeated approach works.

How to structure effective training

A well-designed training program is based on several fundamental principles:

Optimum frequency: Quarterly training combined with occasional reminders is ideal. One technology company found that monthly intensification increased errors due to cognitive fatigue. The right balance between frequency and commitment is essential. For example, for a medium-sized organization, quarterly training accompanied by monthly reminders via e-mail or interactive quizzes is often effective. Too much training close together, such as weekly sessions, can lead to cognitive fatigue, while too much spacing may reduce information retention. The aim is to keep employees involved without overwhelming them, while adapting reminders and content to the specific needs identified.
Role-specific content: The needs of a developer differ from those of an HR manager or network administrator. For example, developers benefit from targeted training on coding vulnerabilities, while HR managers need to learn how to manage the risks of phishing and social engineering.
Immersive practice: Regular simulations of attacks (e.g. phishing, pretexting) reinforce skills. According to a study by CybSafe, companies that use interactive simulations record performance improvements of 45% among their employees. Source : https://www.cybsafe.com/insights/
Use clear metrics: Measure the effectiveness of programs with indicators such as the rate of clicks on malicious links during tests, or the response time to an incident. For example, one telecommunications company set up quarterly phishing tests. Before the training, 25% of employees were clicking on fraudulent links, but after six months of the program, this figure had fallen to just 5%. This type of metric provides a clear view of progress and enables training efforts to be adjusted.

Cost-effective training

How do you determine whether training courses are profitable? The calculation is simple: add up the total cost of training (time, tools, trainers) and compare it with the savings made by avoiding loopholes. An SME with 100 employees invests $50,000 annually in training.

A single breach avoided, estimated at $200,000, more than justifies this investment.

Indirect benefits complete the financial picture:

A better corporate reputation, attracting customers and partners.
Reduced insurance premiums, as some companies now require proof of training to apply discounts. Source : https://www.cyberinsurance.com/
Increased confidence from employees themselves, who feel equipped to react.

The limits and pitfalls of training

Despite their effectiveness, training cannot eliminate everything:

Intentional internal threats: A malicious employee can bypass systems. In this case, rigorous technical controls and increased surveillance are required.
Sophisticated attacks: Some cyberattacks exploit technical flaws beyond the control of users. For example, attacks using zero-day vulnerabilities allow cybercriminals to exploit unknown flaws in software before patches are available. In 2021, the attack on Microsoft Exchange illustrated this type of threat, affecting thousands of businesses worldwide without any user intervention being required. In such cases, updates and regular maintenance take over.
Poor program execution: Standardized training or lack of follow-up drastically reduces impact. For example, one-off training with no follow-up reminders often has little lasting effect.

To maximize the effect of the programs, it is crucial to :

Regular follow-ups to assess progress.
Combine training and technology with advanced detection tools such as EDR (Endpoint Detection and Response) systems. Source : https://www.gartner.com/reviews/market/endpoint-detection-response
Adopt a holistic approach, integrating training into an overall safety strategy that includes policies, procedures and technologies.

The future of safety training

The future of information security training lies in the constant evolution of threats and the needs of each organization.

Artificial intelligence, for example, is beginning to play a key role, enabling programs to be customized according to employees’ identified weaknesses.

In practical terms, AI analyzes behavioral data to identify areas where employees make mistakes, such as frequent clicks on malicious links.

It then generates customized training modules that focus on these specific shortcomings. For example, an AI-based platform can offer repeated phishing simulations to a particular employee until they significantly improve their response.

Benefits include more focused learning, better information retention and an overall reduction in organizational risk.

Companies that have adopted this approach have seen a 30% improvement in cyber-attack resilience scores after just six months of use. In addition, e-learning platforms are increasingly relying on gamification techniques to maintain engagement and reduce cognitive fatigue. Source : https://elearningindustry.com/gamification-benefits-for-cybersecurity-training

An essential strategy

Information security training is an important weapon, playing a key role in reducing the risks associated with human error, but it is also a fundamental requirement of standards such as ISO 27001 and PCI-DSS, essential for obtaining and maintaining certification.

These standards require employee awareness and training initiatives to ensure proactive threat management and optimum protection of sensitive data.

In a world where 95% of cyber-attacks are due to human error, investing in relevant and appropriate training is not only a smart choice, it’s a must if you want to transform your organization into a fortress, capable of resisting growing threats and guaranteeing its continuity while remaining compliant with international standards.

I invite you to click on “Follow” to continue learning more about the field of information security.