• 27 July 2022
  • 5 min read

Simulation training in cybersecurity: scenario-based training is crucial to behaviour change

What better method is there to train your employees for the cyber risks they face every day than cybersecurity simulation training?  Simulated training based on...

I Stock 1060862036 scaled 580x250 acf cropped

What better method is there to train your employees for the cyber risks they face every day than cybersecurity simulation training? 

Simulated training based on potential scenarios accurately emulates real world IT threats and pitfalls, whilst testing how your employees – and your organisation as a whole – deal with and report cyberattacks. When we run engaging and consistent simulation-based training, we effectively drill the correct security behaviours into employees.  

Simulation training also gives you tangible analysis on whether your training and development courses have been retained by your employees. Security managers can see whether their cyber defence protocols hold up to nefarious outside forces and whether their current security strategy makes sense to every single employee. 

There is no replacement for hands-on scenario-based training. You can deliver as many protocols as possible, and as many rules and regulations you want, but if the first time employees get to practice their newfound knowledge is in a real breach situation, you are inviting catastrophe with big ramifications. By practicing identification and risk reporting before a breach occurs, you build confidence in your workforce to spot and report cyber threats.  


Why you need to think about simulated/scenario-based training 

Every legitimate organisation will practice for fire drills and various other emergencies, so why don’t they do the same for cyber security attacks as well? 

In CyberEdge’s 2022 Cyberthreat Defence Report (CDR), it is revealed that 81.4% of UK organisations experienced a successful cyberattack in 2021/2022. As the frequency of cyberattacks increases for businesses of all sizes, we are seeing more companies give cybersecurity the attention it has always required … however UK businesses are still low down in IT budget levels when compared with other nations. UK business had the fifth lowest spend just 11.3% percent of their respective IT budgets, with countries such as Brazil (15.6%), Turkey (15.3%), Colombia (14.4%), Mexico (13.3%), Singapore (11.4%) and more spending far above the UK IT security. 

The potential reputational and financial damages, indeed experienced by many organisations over the last few years, has encouraged security managers and board members to look for ways to fortify their defences. But, as you can see from the figures above, we still have a long way to go. 

Cybersecurity training courses and physical materials are vital and provide a solid, unshakable foundation for many internal cybersecurity and awareness campaigns. But there is a lot of room for increasing the effectiveness and reach of your training.  

Instead of just teaching an employee what constitutes a strong password and how to create one, why not supplement their learning with valuable games and simulations that takes employees through password creation, management, and update scenarios so you know they will react the right way? 


The benefits of simulation training 

  • Improve your cybersecurity culture 

At TSC, we are all about behaviour change. The goal of any cybersecurity training and awareness campaign should always be to deliver the right security behaviours and for said behaviours to be retained and engrained in employees for the long-term. With simulation training, you engage all employees by changing how they think and react to cybersecurity threats.  

You can also use simulations to spot human errors and mistakes in the security process before a real world breach occurs, thus allowing you to improve your cybersecurity culture by ironing out incorrect behaviours. In this review of cognitive modelling and simulations in cybersecurity, it is explained that “Just as simulations in healthcare predict how an epidemic can spread and the ways in which it can be contained, such simulations may be used in the field of cyber-security as a means of progress in the study of cyber-epidemiology.” 

Furthermore, some gamified simulation training will allow employees to compete in leaderboard-based competition. Healthy competition encourages employees to behave correctly and creates an aware and supportive culture of security champions and supporters.  

  • Employees learn differently 

It is very naïve to think that everyone learns the same way. In 2022, the workplace will consist of multiple generations, cultures, learning levels, languages, and ways of learning. If you think the same one-size-fits-all training courses will be adopted by your entire workforce, you are not being realistic about the scope of your security and awareness campaign.

Some employees will simply never respond to eLearning courses the same way they might to scenario-based simulations. Everyone learns differently; by having variety in the way employees can access information, you increase the chances of information retention and building the right behaviours.  

  • Actionable employee behaviour data 

As we have mentioned already, one cannot overlook the importance of behaviour data because of simulation training. As simulation training emulates real IT environments and actual potential cyber risks, data managers and security officials will gain valuable information on how staff acts and responds to cyberattacks.  

Not only will data insight help aim your training in the right direction and at the right people, but it will also illuminate gaps in your security culture with actionable data that will inform how you plug these gaps. 

Other actionable data you will gain include identifying trainees and their individual struggles, bottlenecks in your security system, shortcomings in training materials and resources, as well as company-wide bad habits.  

Simulations can also be used on employees. For example, at the end of 2021, GoDaddy ran a simulated phishing attack on its employees, to increase their level of alertness against the growing threat of phishing. The fake phishing emails were sent to hundreds of GoDaddy employees offering a $650-holiday bonus. However, instead of receiving their much-awaited holiday bonus, the employees received an email from the company’s CISO revealing that they had failed their phishing test and needed to retake it. GoDaddy used simulated training methods to find employees with lax security behaviours and thus gaps in their security system. 

  • Nothing beats real life experiences 

This is a no brainer. By training your employees with real life environments and simulations of actual cyber risks, you reduce costs from actual breaches and improve the efficiency of your training. Practice does indeed make perfect and when you gamify learning with simulated training, you trick employees into learning better.  

As per a report by Business Wire, 97% of internet users globally are unable to recognise a sophisticated phishing email. With simulation training, you teach your employees every single phishing email tell and give them the best chance of avoiding cyber risks.  

According to this Forbes article on hands-on training: “In the real world, some things can’t be learned by watching another individual do a task or have it explained … it actually takes performing the task in a safe, protected environment to learn how to do it right.” 


Simulation training and the future of cybersecurity awareness 

Cyber criminals are only increasing in number and getting increasingly sophisticated. To combat this, businesses and data protection officers need to adapt their security awareness training with innovative new methods and engaging hands-on scenarios.  

Passive, lean back knowledge learning provides a solid foundation of information and understanding, but it is no longer enough if not delivered in tandem with hands-on simulations. Scenario based training and gamified simulations are the future of effective cybersecurity and awareness campaigns as they not only build secure behaviours but also spotlight chinks in your armour that need closer inspection.  

Have you embraced simulated/scenario-based training?  

Or are you curious to learn more? 


If you would like more informationabout how The Security Company can help deliver security awareness training for remote workers or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact Jenny Mandley. 

See how we can help you protect your organisation today?