Conducting security awareness training is not enough for reducing risk. When people receive in-frequent, once a year or quarterly training, they get a lot of information at once on how to be responsible when they face online threats. Without frequent practice, they may not know what to do when they encounter an actual attack. It’s not about negligence. It’s about not providing people with the right training.
Behavior change is the best way to mitigate the risk related to employees. To strengthen organizational security, people must receive training that results in behavior change, meaning that they know what to do when they see a threat.