Survey report reveals 56% of employees still receive no security awareness training; employee decisions continue to put organizations at risk

A new research survey sponsored by Security Mentor and conducted by Enterprise Management Associates (EMA) takes you inside today’s organizations to reveal how employee decisions related to information security can significantly increase organizational risk.

Today at 2 p.m. EDT, EMA Research Director David Monahan will share details from the upcoming report in a webinar titled “Security Awareness Training: Keys to Improved Organizational and Internet Security.”

To register, visit: http://research.enterprisemana...

The “Security Awareness Training: It’s Not Just for Compliance” report surveyed over 600 employees from organizations ranging from small businesses with less than 100 staff to enterprises with 20,000 employees. This report examines the implementation of security awareness training in government, public and private companies and non-profit groups.

EMA published the report’s Executive Summary today and it is available here.

According to employee responses in the survey report:

  • 30% leave mobile devices unattended in their vehicle
  • 33% use the same password for both work and personal devices
  • 35% have clicked on a link in an email from an unknown sender
  • 58% have sensitive information on their mobile devices
  • 59% store work information in the Cloud

Some of the reported behaviors present inherent risks, while others depend on contributory factors like the failure to use device or data encryption. Insights into why employees make risky choices are revealed in two other report findings. Fifty-six percent of corporate employees, excluding security and information technology staff, have not had security or policy awareness training from their organization, while 45% of employees received training in one annual session. Without the foundation of on-going security awareness training, employees don’t receive the critical security information they need to make secure choices.

Security Mentor, a leading provider of security awareness training, sponsored the EMA report to examine the implementation and effectiveness of security awareness training programs in organizations. “People repeatedly have been shown as the weak link in the security program. Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don't realize what they are doing is wrong until a third-party makes them aware of it,” said Mr. Monahan. "In reality, organizations that fail to train their people are doing their business, their personnel and, quite frankly, the Internet as a whole a disservice because their employees’ not only make poor security decisions at work but also at home on their personal computing devices as well."

The survey findings reflect not only the importance of having training, but also the quality of training. Sixty-six percent of employees responding to the survey said it is important that training materials are easy to understand; and 59% say that interactive activities are important.

“While today’s organizations continue to harden their infrastructure to protect against the latest cyber threats, this report reveals that they too often fail to arm their employees with the critical information needed to avoid a data breach, prevent phishing, or report a possible security incident,” said Craig Kunitani, COO with Security Mentor. “Every organization should make security awareness training part of its defense in depth strategy. Many of our customers report they’ve had great success in educating their staff using our security awareness training program because of our brief, interactive, and informative lessons.”

Report Recommendations for Evaluating Security Awareness Training
The research report recommends specific minimum features and functions organizations should consider when evaluating a security awareness training program. Recommendations include: training should be based on instructional design principles, be interactive, fun and flexible for different learning styles, provide content that addresses top security concerns and threats, have excellent reporting capabilities for administrators and can easily be measured to demonstrate effectiveness and reduce risk to an organization.

Related Links:

About Security Mentor

Security Mentor, Inc., pioneer of security awareness training that employees love to take, enables companies in every industry to reduce risk by creating a more secure workforce. The Security Mentor CORE curriculum trains employees on 12 key security topics including Phishing, Office Security, Mobile Security, Information Protection and Web Security. Interactive, highly engaging lessons teach critical security skills in an easy-to-understand, fun format. Our Brief, Frequent, Focused™ training model of 10-minute lessons delivered monthly fits employees' busy schedules and keeps security top of mind. Simple to administer, organizations can take Security Mentor training as a service from Security Mentor's website with username/password authentication or Federated Single Sign-on (SSO), or as SCORM 1.2 compliant modules hosted on an organization's corporate LMS (Learning Management System). Either way, trainee progress and completion is tracked and reported. Incorporated in 2008, Security Mentor has customers ranging from Fortune 500 enterprises to local and state governments, including the State of Michigan, State of Maryland and Omnicom Media Group. To learn more, take a look at our two-minute introductory video or request a demo at


Karen Burke
Security Mentor