One of the most important things for enterprises to remember when building a security program is that users are all dealing with human nature.

Fremont, CA: Security awareness training is an essential part of cybersecurity strategy since between 82 percent and 95 percentage of security events may be attributable to human-related reasons rather than a failure of cybersecurity technology. But the reality is that businesses frequently revert to a check-the-box approach where they presume they have "done security awareness"—they've delivered the valuable information, given employees the facts they think they need to know, and expressed their expectations. Regrettably, the reality is stranger than fiction. The following are three realities of security training for which businesses should get prepared:

•  Just because they are aware does not mean they care.

How many people drive by speed limit signs and notice them as a suggestion? We often view it as a risk-based calculus rather than a binary decision. People look at that speed limit sign and think, "Do They want to follow that based on the schedule, road conditions, what's going on in my car, my other priorities of the day?" Users create an internal and personal risk calculation and decide whether or not to follow it. The same thing occurs with cybersecurity. Employees do the same thing in their heads when presented with a security choice. They're taking security training under advisement (if they remember it) and are saying, "What are their priorities? Is it practical or not? Is this slowing them down? "Does this help them achieve my goals?" The issue is that security teams expect individuals to process information and behave in ways they do not. They are all human and susceptible to the same mentality.

•  If we work against human nature, we will fail.

One of the most important things for enterprises to remember when building a security program is that users are all dealing with human nature. Suppose there needs to be a gap between employees' expectations of obeying cybersecurity regulations and the realities of employee behavior. In that case, it's generally because the policy is not expecting people to be human. Instead, it expects them to be robots that process information and respond appropriately. Organizations anticipate that everyone will have the same degree of security expertise, maturity, and accountability, which is rarely the case.

•  What Employees Do is Way More Crucial than What They Know.

One must account for the gap between knowledge, intention, and conduct. Consider New Year's resolutions: users construct a list and declare, "they are going to lose weight," "they are going to save more money," they are going to spend more time with family," and so on. Users make these commitments intentionally and are aware of the advantages; nonetheless, most individuals fail to follow through because an overarching behavior pattern takes control, and they need the necessary habits. They don't care just because they are aware of it. Similarly, with cybersecurity, companies may slap a slew of standards on staff, but just because they get it doesn't imply they'll follow them.