Training Methods to Boost Security Performance

Yesterday my daughter made an observation that’s relevant to all mid-market CISOs. While speaking to her on voice call, my father-in-law struggled to switch the WhatsApp call to video to show their dog’s antics. He asked my mother-in-law to help. While on the call, my mother-in-law needed to transfer money via UPI to someone. So they had to cut the call - because my father-in-law needed to step in! My daughter came to me with this question: Two people. Same house. Same everyday things. Yet their skill levels are so different. Now, imagine this inside a company with hundreds or thousands of employees. - Some struggle to identify phishing emails - Some don’t understand the risk of weak passwords - Some click on malicious links without a second thought - Some approve payment requests based on text messages - Some download & install unauthorized software - Some share sensitive information over email without realizing - Some upload company secrets into ChatGPT for projects Yet, many CISOs run just 𝙤𝙣𝙚 𝙤𝙧 𝙩𝙬𝙤 cyber awareness simulations per year & think it’s enough. It’s not. Cyber awareness needs to be continuous, personalized & measurable. A strong cyber awareness program should: 𝟭) 𝗧𝗲𝘀𝘁 𝗲𝗺𝗽𝗹𝗼𝘆𝗲𝗲𝘀 𝘄𝗶𝘁𝗵 𝗿𝗲𝗮𝗹-𝘄𝗼𝗿𝗹𝗱 𝗮𝘁𝘁𝗮𝗰𝗸 𝘀𝗰𝗲𝗻𝗮𝗿𝗶𝗼𝘀 Phishing, smishing, vishing, and deepfake attacks that mimic what attackers actually do. 𝟮) 𝗔𝗱𝗮𝗽𝘁 𝘁𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗯𝗮𝘀𝗲𝗱 𝗼𝗻 𝗶𝗻𝗱𝗶𝘃𝗶𝗱𝘂𝗮𝗹 𝘀𝗸𝗶𝗹𝗹 𝗹𝗲𝘃𝗲𝗹𝘀 A finance executive needs different training than a new intern. 𝟯) 𝗢𝗳𝗳𝗲𝗿 𝗲𝗻𝗴𝗮𝗴𝗶𝗻𝗴, 𝗶𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝘁𝗿𝗮𝗶𝗻𝗶𝗻𝗴 Gamification, role-based training, and bite-sized learning improve retention. 𝟰) 𝗧𝗿𝗮𝗰𝗸 𝗶𝗺𝗽𝗿𝗼𝘃𝗲𝗺𝗲𝗻𝘁𝘀 & 𝗿𝗶𝘀𝗸𝘆 𝗯𝗲𝗵𝗮𝘃𝗶𝗼𝗿 Identify employees who need extra training instead of treating everyone the same. 𝟱) 𝗥𝘂𝗻 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀 𝘀𝗶𝗺𝘂𝗹𝗮𝘁𝗶𝗼𝗻𝘀, 𝗻𝗼𝘁 𝗼𝗻𝗲-𝘁𝗶𝗺𝗲 𝗲𝘃𝗲𝗻𝘁𝘀 Cyber threats evolve daily; training should too. 𝟲) 𝗚𝗶𝘃𝗲 𝘁𝗵𝗲 𝗰𝘆𝗯𝗲𝗿 𝗮𝘄𝗮𝗿𝗲𝗻𝗲𝘀𝘀 𝗽𝗼𝘀𝘁𝘂𝗿𝗲 𝗮𝘁 𝘁𝗵𝗲 𝗰𝗹𝗶𝗰𝗸 𝗼𝗳 𝗮 𝗯𝘂𝘁𝘁𝗼𝗻 Department-wise reports of people & the potential learning gaps Awareness is not running a simulation & calling it a day. It's the actions & the next steps: - for improvement - knowing the awareness posture of everyone - for building a culture where employees become security assets If you’re a CISO evaluating solutions that train employees further based on their actual responses, DM me. My team works with a platform designed to make cyber awareness practical, engaging & effective. -- Hi, I’m Rajeev Mamidanna. I help mid-market CISOs strengthen their Cyber Immunity.

Is Once or Twice-A-Year Cyber Training Enough? If your answer is "no" or "not sure", you are not alone. In Singapore, human error remains the number one cause of cyber breaches. According to the 2024 Voice of the CISO report by Proofpoint, 67% of Chief Information Security Officers in Singapore identify human error as their greatest cybersecurity risk. And while most companies are making progress, 92% of CISOs say their employees understand their role in cybersecurity, that awareness has not yet translated into lasting behavioural change. Why is this the case? A Lesson from the Past The 2018 SingHealth breach compromised 1.5 million patient records, including those of Prime Minister Lee Hsien Loong. Investigations revealed that it was not only outdated systems and delayed responses that enabled the breach, but staff hesitation and gaps in training also played a critical role. The Committee of Inquiry made it clear: it was not just the technology that failed but also the human element. Why It Still Matters The simulation was conducted as part of Proofpoint's Exercise SG Ready, which involved over 4,500 employees across 14 countries. The results revealed that 17% of participants clicked on phishing links within a two-week period in Singapore, almost double the global average, highlighting the need for continuous, rather than one-time, cyber awareness training. What Could Work Instead Real change happens when learning is continuous and relevant. That means: - Short, focused modules delivered regularly, not all at once - Real-time phishing simulations that teach by doing - Monthly nudges and refreshers to keep awareness active - Make the training content personally relevant to the employees This is how you can build what we call a "human firewall", a workforce that is alert, informed, and ready to respond. Ready to Shift the Mindset? If the idea of turning routine training into something more engaging and lasting resonates with you, there are some interesting approaches worth exploring. I would love to share some ideas with you that could work in your local business context. #alvinsratwork ✦ #ExecutiveDirector ✦ #cybersecurity ✦ #cyberhygiene ✦ #Cyberawareness ✦ #BusinessTechnologist ✦ #Cyberculture

It’s not paranoia if they really are out to get you. And guess what? They are. While you’re busy worrying about VPNs and password policies, scammers are sliding into your employees’ DMs with sweet nothings, fake job offers, and “just one click” crypto deals. Welcome to the trifecta of human-targeted scams: - Romance - Recruitment - Financial fraud They don’t need root access if they’ve already got your heart, your résumé, or your retirement account. Are you protecting your people? Not just their inboxes. Them. Here’s what you’re up against: ❗Deepfake-enabled fraud: $200M lost—in just one quarter of 2025 ❗AI-generated crypto scams: $4.6B stolen in 2024—up 24% ❗Over 50% of leaders admit: no employee training on deepfakes ❗61% of execs: zero protocols for addressing AI-generated threats Companies spend millions locking down endpoints—then leave their employees to get catfished by a deepfake on Tinder. But here’s the good news: you’re not powerless. You just have to stop pretending a phishing test is a strategy (please). Here’s how to actually reduce risk: ✔️Make your training real. Include romance bait, fake recruiters, and deepfake voicemails. If your simulations don’t mirror reality, it’s not training—it’s theater. ✔️Train managers to notice when something’s off. Isolation. Sudden secrecy. Financial stress. These aren’t just HR problems—they’re prime conditions for social engineering. ✔️Build a culture where it’s safe to ask, “Is this sketchy?” If your people feel dumb for asking, they’ll stop asking—and that’s how scams slip through. ✔️Partner with HR. Online exploitation, financial manipulation, digital coercion—these are wellness issues and security issues. Treat them that way. ✔️Empower families, not just employees. Scams often hit home first. Make your materials so good they want to send them to their group chat. Bonus: they’ll bring those healthy habits right back to work. When you protect the human—not just the hardware—you don’t just lower risk. You build trust. And for the record? Paranoia gets a bad rap. Sometimes it’s just pattern recognition. #Cybersecurity #HumanRisk #AIThreats #Deepfake #RomanceScams #AI #RecruitmentFraud #InsiderThreat #Leadership #DigitalWellness #SpycraftForWork

Email may feel old-school compared to messaging apps and video calls, but it remains one of the most relied-on channels for business communication. That’s also what makes it such an attractive target. Threat actors know that if they can get into your inbox, they can get into your organization. Over the past few years, attackers have evolved their techniques by combining psychology, personalization, and AI to craft emails that look authentic. They don't just send one email; they often mimic normal work processes with follow-up messages and quick replies to build trust. Traditional defenses like secure email gateways, filters and firewalls help, but they can’t replace human judgment. The human element continues to be the most common entry point in cyber incidents. That’s why effective training matters. It needs to feel real, relevant, and connected to the threats employees actually encounter. We achieve this by running adaptive simulations that reflect modern phishing tactics. These are not the obvious "foreign prince needing information to send you money” scams we all know. They mirror the types of messages that blend into a normal workday. These simulations are intentionally challenging. AI-generated content, better targeting, and cleaner formatting make today’s phishing attempts harder to recognize. This allows us to test using realistic scenarios and see in real time how employees respond, including which red flags they identify and which ones they might overlook. We also implement learning modules on AI deepfakes and social engineering. Earlier this year, our teams even stepped into the role of the attacker and crafted phishing emails themselves to test our internal teams and detections. It gave them a deeper understanding of how easily a small detail can influence whether a message gets opened or reported. Cybersecurity is more than technology. It is about people. When we strengthen our employees’ instincts, we strengthen our entire organization.

I cancelled all mandatory security training. Phishing click rates dropped 40%. Not despite cancelling it. Because of it. For three years, our annual security awareness program ran like clockwork. Every employee completed the modules. Every completion was logged. Every quarter I reported 99%+ training completion to the board. The compliance box was checked. The phishing click rate barely moved. It went from 22% in year one to 19% in year three. A 3-point improvement over three years of mandatory training. The problem was not the content. The problem was the model. We were measuring activity — who finished the video — instead of behavior — who actually changed how they handle suspicious email. So I cancelled the program, took the $85,000 annual vendor cost, and rebuilt from scratch. The replacement was a Security Champion Network: 23 volunteers across every department, trained differently, motivated differently, and measured differently. No completion certificates. No annual modules. No compliance checkbox. Eighteen months later: 13% phishing click rate (down from 22%). Near-miss reporting up from 3 incidents per quarter to 47. Security-related help desk tickets down 34%. The CFO (Chief Financial Officer) called it the best security investment we had made in four years. It cost $40,000 less per year than the program it replaced. Mandatory security training is security theater. It performs compliance. It does not produce behavior change. Every CISO (Chief Information Security Officer) inherits this model. Most have no framework to replace it. The 3-layer framework that replaced it — and the business case conversation with the CFO that made it happen — is in the full article. 📄 Full framework + 90-Day Activation Plan: https://lnkd.in/gXpx2_rb 📧 Thursday 5:30 PM CST (Central Standard Time): The Fast CISO Issue #10 — The Security Culture Scorecard: the metric that made our CFO ask why nobody had shown him this before. Subscribe: https://lnkd.in/gKv_jyAy #CISO #SecurityCulture #CyberSecurity #SecurityLeadership #SecurityAwareness

𝗦𝘁𝗿𝗲𝗻𝗴𝘁𝗵𝗲𝗻 𝗬𝗼𝘂𝗿 𝗛𝘂𝗺𝗮𝗻 𝗙𝗶𝗿𝗲𝘄𝗮𝗹𝗹: 𝗥𝗲𝗶𝗻𝗳𝗼𝗿𝗰𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗧𝗵𝗿𝗼𝘂𝗴𝗵 𝗥𝗲𝗰𝗼𝗴𝗻𝗶𝘁𝗶𝗼𝗻, 𝗡𝗼𝘁 𝗥𝗲𝗺𝗶𝗻𝗱𝗲𝗿𝘀 Cybersecurity often feels like a list of “don’ts.” Don’t click. Don’t trust. Don’t forget. But fear-based compliance doesn’t build resilient teams—empowered behaviour does. If you want security habits to stick, celebrate them. When someone reports a phishing email, acknowledge it. When a team handles sensitive data securely during a tight deadline, highlight it. Positive reinforcement turns good security hygiene into everyday behavior, not just policy. An organization launched a simple “Security Spotlight” program, shouting out small wins, like avoiding a phishing scam or flagging a spoofed vendor invoice. It took minutes per week. Engagement skyrocketed. Security went from being “IT’s problem” to a shared team success. Here’s the shift: embed cybersecurity into the employee experience. Tie it into your EX programs, onboarding, and team rituals. Make it personal, relevant, and appreciated. Because when people feel seen and supported, they don’t just follow rules, they own them.     Want to turn secure habits into part of your culture, not just your compliance checklist? Let’s talk about reinforcing the right behaviors with the right mindset with Digital Transformation Strategist.

🚨 If your cybersecurity awareness training still starts and ends with phishing emails… we have a problem. 🚨 Yes, phishing is still the most commonly used attack vector. It works. Attackers know it. We know it. But the game has changed. We are now seeing a major rise in: • AI-generated deepfake videos and audio • Vishing attacks that sound exactly like your CFO • Real-time AI voice cloning • Synthetic identities used in social engineering This is no longer theoretical. It is happening to real companies. An employee gets a call that sounds like the CEO asking for an urgent wire transfer. A manager receives a video message that looks and sounds like an executive requesting credential access. A help desk analyst hears a familiar voice requesting a password reset. Traditional “hover over the link” training does not prepare teams for this. The time to casually educate is over. This is now a must-have operational control. Cybersecurity awareness programs need to evolve from: Annual compliance videos To Continuous behavioral training and scenario-based simulations What needs to change: 1. Train for voice verification protocols 2. Implement out-of-band confirmation for financial transactions 3. Teach employees how AI cloning works so they understand the threat 4. Run live vishing simulations, not just phishing tests 5. Build a culture where verifying is encouraged, not punished I can tell you this: Most successful attacks are not technical failures. They are human manipulation at scale. AI has made that manipulation faster, cheaper, and more convincing. Awareness training is no longer about avoiding suspicious links. It is about defending against synthetic reality. Leaders, update your programs. Security teams, push the conversation forward. Managers, normalize verification. The organizations that adapt will reduce risk. The ones that do not will learn the hard way. What changes have you made to your awareness program this year?

A dilemma every CISO faces, and the one that led to OutThink’s founding: How do you balance the need for cybersecurity awareness with cybersecurity fatigue? For a long time, the ‘solution’ was to either try not to overload employees (and therefore under-train them) or to simply insist full training is completed regardless (meaning employees will disengage, default to click-through behaviour and retain very little). But the answer is not how much training you give to your employees – it’s how little and how you present it. If employees are given relevant, role-based training, they are far more likely to engage and willing to take in information. That means deploying an intelligent, adaptive security awareness training tool that takes its intended audience into account instead of being one-size-fits-all. That means taking into account the role, level of knowledge, digital literacy and risk understanding of your audience, and not giving people training that is too basic or too advanced. It means understanding that people don’t want to be talked at. They want to be engaged!

The biggest vulnerability in cybersecurity is not your system. It is your people. Over the past two weeks, my team and I led a focused CyBlack internship sprint on human factors in cybersecurity, using Securyth Consulting as our working environment. What we uncovered reinforced a truth many organizations still underestimate. People remain the most targeted and most exploitable layer of any security posture. Here is what stood out from our work: We identified nine active human-centric threats shaping today’s risk landscape. Phishing continues to dominate, but spear phishing is where the real danger lies. Attacks are now tailored, contextual, and convincing enough to bypass even experienced professionals. Weak passwords and the absence of multi-factor authentication continue to open the door to preventable breaches. Shadow IT is expanding unnoticed, creating blind spots that most organizations cannot account for. Insider risks, both intentional and accidental, are quietly increasing exposure. And deepfakes are rapidly emerging as a serious threat, with real financial consequences already recorded. One case that remains difficult to ignore is Deloitte’s 2017 breach. A single compromised account without MFA led to months of undetected access and millions in damage. The lesson is clear. Even the most advanced organizations are not immune when human factors are overlooked. In response, we designed and deployed a targeted security awareness program using the VIVIDA Reels platform. The goal was simple. Move away from static, one-time training and build something continuous, measurable, and accessible. Short, focused learning modules improved engagement. Platform analytics created visibility into user behavior. Accessibility testing ensured that participation was inclusive for all users. Security awareness needs to meet people where they are, not where we assume them to be. We also identified critical gaps in accessibility that directly impact usability for visually impaired users. These are not minor technical issues. They affect how effectively people can engage with security content, which ultimately influences organizational risk. So where do organizations go from here? Start with phishing simulations to understand real user behavior. Build role-based training that reflects actual responsibilities. Introduce dual authorization for high-risk actions. Create a clear and trusted incident reporting culture. Security awareness is not a compliance checkbox. It is an operational discipline. The organizations that get this right will not just reduce risk. They will build teams that can actively defend against it. What is your organization doing to strengthen the human layer of cybersecurity? cc: Dr Iretioluwa Akerele CyBlack #CyberSecurity #HumanFactors #SecurityAwareness #SOCAnalyst #BlueTeam #DFIR #Phishing #Deepfake #IncidentResponse #Cyblack #CyberGirls

🧑🏻💻Your employees are shopping online right now. On company devices. During work hours. ⏰ Cybercriminals know shoppers are rushing, distracted, and eager to grab limited-time offers during the holiday season, which makes November and December peak season for phishing campaigns, fake websites, and social engineering attacks. The kicker is what most security awareness programs miss is that risky behaviors users exhibit when personal holiday shopping doesn't stay personal. They carry over into how they interact with work systems. If someone clicks a malicious Black Friday email at home, they're more likely to fall for a similar attack targeting your organization. Password reuse across shopping sites, email, banking apps, and social media creates a domino effect risk, as many of those reused credentials could include corporate accounts! The traditional approach: Send a generic "be careful shopping online" reminder email The Human Risk Management approach: 👩🏻💻 Real-time simulations mimicking holiday scams (fake delivery notifications, too-good-to-be-true deals) 👩🏾💻 Behavioral nudges when risky patterns emerge 🧑🏻💻Contextualized training that connects personal and professional risk 👨🏽💻Measuring and tracking human risk indicators throughout the season Scammers count on consumers making fast, emotional based decisions when it comes to money or urgency. Users don't magically develop better judgment when they switch from Amazon to an organizations VPN or other portal. 🎄 The holiday shopping surge isn't just a consumer security issue, but an organizational human risk event. And if you're not addressing it as such, you potentially are missing one of the most common threat windows of the year. 📆 #HumanRiskManagement