Staff Training Needs in Cyber Security

Training needs for employees in the area of cybersecurity

Employee Security Index (ESI) Benchmark shows it takes an average of three months of training for employees to develop an adequate understanding of cybersecurity.

According to Hornetsecurity‘s new Employee Security Index (ESI) Benchmark Report, organizations need three months of continuous training around cybersecurity for their employees to demonstrate an adequate understanding of the threats posed by related attacks. A break in training of just one month can cause a company’s ESI score to fall below the desired level – a four-month break can bring it back to zero.

The ESI Benchmark Report evaluated nearly 1.8 million simulated phishing attacks on 140,000 employees from more than 350 companies. The report shows that nine out of 10 attacks start with phishing, with nearly one in two emails (40%) posing a potential threat.

No universal solution for security training

The findings of the Benchmark Report are intended to help companies optimize the security awareness of different user groups. Only by demonstrating to their employees the success of constant training and regular testing of each individual’s security awareness can companies build a sustainable and robust security culture.

Hornetsecurity’s Awareness Engine delivers training modules that are aligned with each team member‘s individual training needs, depending on their ESI score. In addition, the engine grants organizations standardized indicators between different user groups. For example, if an employee shows a higher click-through rate on simulated phishing attacks, the engine can react accordingly and provide more intensive training to this person.

Calculation of the ESI score

The patented spear phishing engine generates the phishing emails itself and automatically controls which spear phishing scenarios are played out to which employees. These are divided into different levels of difficulty (spear phishing levels), which ensure that users during the spear phishing simulation are neither over- nor under-challenged.

Based on the number of clicks performed, an individual ESI score is calculated for each user, indicating how knowledgeable the employee is about the different attack methods. These training results enable companies to keep their own workforce up to date using ongoing training cycles.