Top 5 Things Wrong with Free Cyber Awareness Trainings

Free Cyber Awareness Trainings

One of the best fundamental principles of staying safe online is proper Cyber Awareness (Cyber Hygiene). Like regular hygiene, Cyber Hygiene is its equivalent in cyberspace. As you would not use an already used utensils set for a new meal, the same principle should apply to not re-using passwords for several user accounts. Although Free Cyber Awareness Trainings are available online, there are several concerns related to efficiency and applicability of such courses. Most prominently, we recommend Free Cyber Awareness Trainings only for individual use for initial baseline setting and not in a professional environment.

Poor Design & Lack of Interaction

Cyber Hygiene like any other study topic, requires a dedicated methodology to be taught effectively. Often times, Free Cyber Awareness Trainings consist of long walls of text or in-cohesive grouping of technical definitions irrelevant to the situation at hand. Additionally, training courses need to be fun and interactive – people should not be shamed into learning as it leaves both parties with a loss-loss situation with the trainers not being able to convey their knowledge most optimally and the trainees unhappy and not motivated to learn more.

RiskSight’s Cyber Hygiene Courses are based on the notion that human risk behavior management in cyberspace is a continuous process in which trainees and instructors alike need to learn and adapt. Our Methodology consists of the following principles:

• No “Pass or Fail”: instead of evaluating correct or incorrect answers, we focus on identifying risk areas and evaluating risk. This means that a score of 90% can still mean a potential risk level.
• Interaction: course materials are built on discussion and case study methodology.
• Feedback: participants can share their stories and experience, note disagreements and comments that they deem necessary.
• “The Human Firewall Approach”: constantly updating the course materials and keeping it up-to-date helps to raise the awareness of cyber security threats and risks among people while creating the first-line-defence in organisations.
• Risk Matrix: participants are assessed against a systemic risk matrix in which the level of risk along each threat vector is highlighted. The risk matrix does not only refer to technical aspects but also describes issues related to the individual and the organization as a whole. Risk is assessed in 12 threat vectors which are categorized into four classes – knowledge, exposure, belonging, and personality.

Further details about RiskSight’s Cyber Awareness Trainings can be either found under the Product Page or Methodology Page.

Privacy Considerations & Forfeiting the Dataset

As with most free services online, you are generally “paying” with your personal data. Often, service providers are eligible to process your data and sell it off to the highest bidder for AI training, trend or behaviour analysis and other use cases, especially outside of the European Union. Additionally, having no post-course information about your results or suggestions for improvement, the course does not serve its purpose.

RiskSight’s Cyber Awareness Trainings provide tangible risk results in various target audience segments – per individual, per user group/department/unit, per organization. Such risk profiles outline results in different categories and threat vectors respective of their decisions, opinions and knowledge throughout the course. The Cyber Hygiene Risk Assessment Methodology covers risk areas in four primary categories, combining both technical and non-technical areas as well as individual and environmental (surrounding) areas that cover all critical threat vectors such as authentication, phishing, ransomware, data backups and more.

Lack of Customization

Cyber Awareness Trainings cannot be produced as unified trainings. Various sectors introduce nuances and differences that need to be accounted for. For example, threats in healthcare vary from academia due to daily organizational operations, assets and architecture. Additionally, policies and procedures vary across organizations in terms of restrictions, services & applications used as well as the organic environment of the organization. Therefore, whilst the core principles of Cyber Hygiene remain the same, an additional level of customization is required for the most optimal training benefits.

RiskSight’s Cyber Hygiene Courses come with a Customization Package, making available the entire library of Cyber Hygiene Content based on the applicable sector, allowing for a selection-based approach. Our customization methodology uses a focus group approach. A set of trainees from different areas of the organization are selected to run a test training for validation and localization purposes. Feedback collection is orchestrated and afterwards the course is updated with necessary elements.

One of the most important aspects of a Cyber Hygiene Course is to shed light on the reasoning behind the rules. Trainees are meant to be able to complete the course in their native language. Our goal is to provide support for as many languages as possible. RiskSight’s Cyber Awareness Trainings are available in 22 languages.

Incorrect Guidance & Best Practises

Cyber Hygiene best practices are based on general awareness and acknowledgement as well as a calm and clear mental approach. Free Courses might not take into account the most optimal behaviour or actions for specific situations or provide too general recommendations. Furthermore, they might have been composed with minimal or lacking effort.

It is important to note that cybersecurity can be viewed as a scale. On one side is security and on the other, convenience. Most increases in security will come at the cost of convenience, and vice versa. For example, reusing passwords makes online life more convenient but increases the risk of account takeovers when one of the accounts gets compromised. We help users and corporations implement best practices as a first step and find the right approach for their specific threat model.

Incorrect and unreasonably strict guidance can be demotivating and force users to create shortcuts with potential security vulnerabilities. For example, requiring employees to change their passwords too frequently may lead to users using simple and predictable passwords. Our aim is to be realistic with the best practices and ensure that users have the necessary tools and knowledge to follow them.

Lack of Risk Assessment & Tangible Results

Most of the time, Free Cyber Hygiene Courses do not provide any after-action activities or benefits once you complete the course. This, in essence, is a design flaw and risk itself. Cyber Hygiene and Risk Mitigation Courses are not meant to be one-time activities. It is unreasonable to assume that a one-time 30 or 60 minute course is enough to be fully protected against every cyber threat out there. As cyberspace is in such rapid evolution, there are new threats and risks emerging every day, many of which we need to keep up with. This requires risk monitoring and additional trainings.

RiskSight’s Cyber Hygiene Courses provide a full analytical overview together with a comprehensive Risk Assessment Profile, highlighting their behaviour in various risk areas and threat vectors. Areas, which are more risky and need additional attention are highlighted along with some best practices to start with.