Professional Documents
Culture Documents
WP 2022 Security Awareness Report PDF
WP 2022 Security Awareness Report PDF
Managing
Human Risk
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
Key Findings
Executive Summary 3 People have become the primary attack vector for
Key Findings 3 cyber attackers around the world, so humans rather
than technology now represent the greatest risk
to organizations. 1 Security awareness programs, Maturing Your Program
Measuring Program Maturity 4
and the professionals who manage them, are This year’s report once again identifies what we have
Maturity by Region 6 key to managing that human risk. The SANS 2022 seen over the past three years: that the most mature
A PAC
Top Concerns/Risks 7 Security Awareness Report analyzes data provided security awareness programs are those that have the
by more than a thousand security awareness most people dedicated to managing and supporting
professionals from around the world to identify it. These larger teams are more effective at working
How to Grow and Mature Your Program 8
and benchmark how organizations are managing with the security team to identify, track, and prioritize
Leadership Support 9 their human risk. The goal of this data-driven report their top human risks, and at engaging, motivating,
is to provide actionable steps and resources to and training their workforce to manage those risks.
Team Size 10
enable organizations to mature their awareness The key to gaining leadership support to facilitate
Training Frequency 13 programs and benchmark them against others. this success is to demonstrate how awareness
programs are no longer just annual training to
How to Grow and Mature Your Career 14 This report is divided into two sections. The first check the compliance box but are critical for
section looks at how to grow and mature your organizations to effectively manage their human risk.
The Part-Time Awareness Professional – The Curse of Knowledge 14
EMEA
level of maturity and key metrics to measure it. fundamentals of cybersecurity and how to work
Growing Your Career 26
closer with and better support their security team.
Acknowledgments 30
2 3
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
Measuring Program
G LOBA L
Maturity
A key goal of this report is to enable you to build Promoting Awareness and Behavioral Change
and manage a mature security awareness program. The security awareness team is part of and
A PAC
By mature, we mean an organization’s ability actively works with the security team. The program
to effectively identify, manage, and measure its identifies the target groups and training topics
human risk. To measure the maturity of awareness that have the greatest impact on managing human
programs, we leverage the Security Awareness risk and ultimately supporting the organization’s Non-existent Compliance- Promoting Long-term Metrics
focused Awareness & Sustainment & Framework
Maturity Model. Established in 2011 through a mission. The program goes beyond just annual Behavior Change Culture Change
coordinated effort by more than 200 awareness training and includes continual reinforcement
officers, the Security Awareness Maturity Model throughout the year. Content is communicated in
enables organizations to identify and benchmark the an engaging and positive manner that encourages
current maturity level of their security awareness behavioral change. As a result, people understand The survey that is the basis for this report asked for this. The first is that there is an increase in more
program and determine a path to improvement. and follow organization policies and actively respondents to determine the maturity level of their organizations starting new awareness programs, with
The most mature security awareness programs recognize, prevent, and report incidents. program, as shown in the figure below. The biggest most programs beginning at the compliance level.
EMEA
not only change their workforce’s behavior and change from last year is an 8 percent increase A second is that organizations have become better
culture, but also measure and demonstrate their Long-Term Sustainment and Culture Change in compliance-driven programs (level two of the at understanding and determining their maturity
value to leadership via a metrics framework. You The program has the processes, resources, and model) and a 10 percent decrease in behavior level. As a result, they are taking a more realistic
can easily determine your program’s maturity leadership support in place for a long-term life change programs (level three of the model). This measurement of their program and identifying that
level (and how to improve it) by using the Maturity cycle, including (at a minimum) an annual program may seem counter-intuitive, as it appears that it is still at the compliance level and perhaps not
Model Indicators Matrix, included separately with review and update. As a result, the program is an programs have become less mature since last year. as mature as they may have originally believed.
this report. The maturity levels are as follows: established part of the organization’s culture and However, there are several possible explanations
is current and engaging. The program has gone
Non-existent beyond changing behavior and is changing people’s
Current Maturity Level
There is no security awareness program beliefs, attitudes, and perceptions of cybersecurity.
in any capacity. Employees have no idea Non-existent
that they are a target or that their actions Metrics Framework
NALA
have a direct impact on the security of the The program has a robust metrics framework
organization, do not know or follow organization aligned with the organization’s mission and Compliance-focused
policies, and easily fall victim to attacks. leadership priorities to track and measure
impact. As a result, the program is continuously Promoting
Awareness &
Compliance Focused improving and able to demonstrate return on Behavior Change
The program is designed primarily to meet specific investment. Metrics are an important part of
Long-term
compliance or audit requirements. Training is every level of the maturity model; this level Sustainment &
Culture Change
limited to being provided on an annual or ad simply reinforces that to truly have a mature
hoc basis. Security awareness professionals program, you must go beyond change and have a
Metrics
are disconnected from and do not work with framework that demonstrates value to leadership. Framework
SUM MARY
4 5
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
of phishing attack, including email- the top three, tied with BEC. These attacks
Africa based phishing, SMS-based smishing, often get the most attention because
and voice-based vishing. This is no they are highly public and often require
surprise and reflects the same findings an organization to provide a breach
from numerous other security reports, notification to its customers or to a
including the Verizon DBIR and reporting authority. The vast majority of
Microsoft Digital Defense Reports. ransomware infections either start with
Asia a phishing attack or with exploiting weak
2
passwords, both human-based risks.
Business Email
Compromise (BEC)
EMEA
South America
SUM MARY
6 7
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
A key goal of this report is to identify the key drivers of program maturity and enable Action Items for Greater Leadership Support
organizations to focus on and prioritize those drivers. For a security awareness
program to be truly successful, these drivers are what we found to be critical.
A PAC
1
Far too often, security awareness Does leadership perceive the Dedicate two to four hours a
Leadership Support As you review the findings, notice how all
is perceived as a compliance
effort, or security awareness
human as a significant risk?
Leverage data and statistics
month to collecting metrics
about the impact and value of
The most mature awareness programs three of these drivers are interrelated. The professionals are perceived to demonstrate to leadership your awareness program and
are those that have had the greatest larger your security awareness team, the to be in an “entertainment” the need to address human communicating it to leadership.
leadership support. This is not a surprise, more effectively you can partner with other business that focuses on getting risk. Work with your Security This information can include
as this has been a consistent finding departments and the more frequently you employees excited about Operations Center, Incident informal metrics, established
for the past three years, and it aligns can train and engage and communicate with cybersecurity but has little Response, or Cyber Threat key performance indicators,
with findings from other organizational your workforce. The stronger your leadership perceived business benefit to Intelligence teams to better or even success stories.
change programs and related research. support, the larger your security awareness the organization. To effectively document key human risks Enable leadership to better
EMEA
team, but also the greater the resources engage leadership, focus on and and show how people are understand and regularly see
and support you’ll have to effectively train, use terms that resonate with one of the largest drivers for the value that your program
2
partner, and engage with your workforce. them and demonstrate support incidents at your organization. is providing. Not sure what
Team Size The sections that follow cover each
for their strategic priorities. Don’t
talk about what you are doing,
metrics to collect? Review the
Maturity Model Indicators Matrix
The most mature awareness programs of the three critical drivers in more talk about WHY you are doing it, included with this report.
have the largest security awareness detail and recommend action items. and specifically and demonstrate
teams. Managing human risk is not a how security awareness is
technology challenge, it is a human effectively managing your
challenge, and as such it requires organization’s human risk.
people to solve the problem.
NALA
3 Frequency
New for this year, we measured training
frequency for organizations. The most
mature awareness programs also had the
most frequent training for their workforce.
SUM MARY
8 9
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
Team Size
Top Challenges in Managing Awareness Programs
G LOBA L
Lack of budget
3.5 Other
number of full-time employees on security awareness team
1.5
1 As stated earlier, managing human risk is a people and sufficiently large security awareness team
problem, and for the past three years our findings is key to managing and measuring a mature,
0.5 have reinforced that to effectively manage human high-impact security awareness program.
risk, people are also the solution. A dedicated
0
Mean
Behavior Change Culture Change
1.4
1.2
One of the questions asked of respondents was to These challenges were and still are compounded by
1
identify the top challenge they face in building and COVID-19. We asked respondents how the pandemic
perceived impact
managing an awareness program. The top three impacted them. Their top two responses were that 0.8
responses were all related to lack of time: “Lack of it has not only created a far more distracted and 0.6
time for project management,” “Limits on training overwhelmed workforce but has also created an
0.4
time engaging employees,” and “lack of staffing.” environment where human-based cyber attacks
have become more frequent and effective. 0.2
SUM MARY
10 11
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
Training Frequency
G LOBA L
are on your security team. Then out of all those train them. Work with Human Resources to help
individuals, determine how many employees on with new hires or in measuring and building a
the security team are dedicated to technology strong culture. Work with Business Operations
versus how many are dedicated to the human to help analyze metrics and data points.
side of risk. As a starting point, consider having
a 10 to 1 ratio of technical security professionals
to human- focused security professionals.
how to create a secure home, or launching a fun do the same for the human operating system.
12 13
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
Physical Security
Information Security
Marketing/Graphic Design
Communications/
Public Relations
The second goal of this report is to enable security awareness professionals to grow their Human Resources
careers, including their compensation. The hope is that in the near future we will begin Legal/Audit/Compliance
to see CISOs who started their careers on the human side of cybersecurity.
A PAC
Software Development
Training
The term sometimes used for a person who has program based on these misconceptions. As
Among security awareness professionals, 69 percent dedicated full-time to supporting their awareness expertise but struggles to communicate that a result, what experts tend to communicate
are part-time, spending less than half their time on program. We define full-time as someone dedicating expertise is “Curse of Knowledge,” a type of cognitive is often confusing, difficult, intimidating, and
security awareness and focusing on other priorities. 70% or more of their time on security awareness. bias. The more expertise people have on a subject, even overwhelming for non-experts. This not
EMEA
Only 18 percent of awareness professionals are the more difficult it can be for them to teach only creates less effective training materials, it
or communicate it. Security professionals often also impacts communication to leadership and
perceive security as being “simple” because it and ultimately can create a negative security culture.
Percentage of Time Dedicated to Awareness
the technology related to it are a part of their daily Security awareness professionals with strong
250
life. Experts can further make assumptions that technical and security backgrounds should take
200 security and technology are “common knowledge” care to be aware of their Curse of Knowledge.
for everyone else and then build their awareness
150
100
Action Items for Technical Professionals
50
Know Your Bias communication and engagement. This can include
NALA
0
If you have highly technical skills or a strong security training someone on your security team, partnering
0-10 10-20 20-30 30-40 40-50 50-60 60-70 70-80 80-90 90-100
background, make sure you work with others to with your Communications or Marketing Department,
help craft your messaging. Your expertise is a plus, or even embedding a staff member from those
but security concepts and technologies that are departments in your security awareness team. Or,
In addition, the large majority (72%) of security programs struggle to engage their workforce. Having easy for you are most likely difficult, confusing, and consider acquiring the appropriate skills yourself
awareness professionals have a technical a strong technical or security background is valuable, intimidating for most others. One of the biggest to more effectively engage your workforce. Review
background. The data implies that most people as it enables people to understand the common challenges security professionals often face is the Career Development section in Appendix B.
leading or managing awareness programs are most technologies and behaviors that pose a risk to making security simple for their workforce.
likely already part of the security or IT team with the organization and the tactics, techniques and If you are among that small percentage of security
technical responsibilities. They have been assigned procedures of cyber attackers. However, having “too Access or Develop Communication team members devoted full-time to security
SUM MARY
to manage their organization’s awareness program technical” a background can also sometimes mean and Engagement Skills awareness, or among the small percentage that
in addition to their other normal responsibilities. the person lacks the skills to effectively communicate Be sure you have someone on your awareness does not have a technical background, you will find
This can help explain why so many awareness those risks or meaningfully engage employees. team who has the skills required for effective the next section on compensation very interesting.
14 15
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
Compensation –
G LOBA L
average only $86,626 while those who are part-time human risk. Human risk is be so much more. Work with the expert (that is what a security
averaged $117,584, a $30,000 difference. Why such a far more aligned with most security team to improve and team is for), but it is important
disparity? We believe the answer is perceived value. organization’s strategic security simplify its communications with to have an understanding of
The data suggest that those who are part-time are priorities, far more likely to your workforce, help manage the models, frameworks, and
often already part of the security or information gain leadership buy-in, and far security tool rollouts to your terminology. This will enable
technology team and security awareness is simply more likely to resonate with a workforce (such as multi-factor you to better understand
an addition to their other responsibilities. Their security team. Help your security authentication), work with the your organization’s risks and
higher salary could be a reflection of them being team identify your top human security team to create policies communicate with others about
compensated for other security or technical skills. risks and the key behaviors that that are easier for people to them, and you will be perceived
Those who are dedicated full-time to awareness manage those risks. Demonstrate understand and follow, and as more valuable by your more
often have non-technical backgrounds, such as how effective communications, partner with the Incident technical team members.
EMEA
communications, and are compensated specifically training, and engagement is Response team to assist in
for their security awareness role, which is often changing those key behaviors any incident communications,
not as valued as most other security roles. and reducing human risk. internally or externally. Work
with senior leadership on
The key challenge here is perception. Too often, table-top exercises to rehearse
security awareness professionals are perceived senior leadership incident
as being in the “entertainment business” because response abilities. You have a
they talk exclusively about engaging and training huge number of opportunities
the workforce. But this overlooks the fact that to expand your value to the
security awareness professionals are not just security team and leadership,
in the business of changing human behavior; so make the most of them!
ultimately they are key to managing human
NALA
program, the higher the salary for the awareness professionals who work there.
16 17
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
Background
250
150
50
6 45 35 14 14
0
A PAC
0 50 100 150 Physical Information Information Marketing/ Comm/ Human Legal/ Software Training Other
number of programs Security Technology Security Graphic Public Resources Audit/ Development
Design Relations Compliance
Non-existent Compliance-focused
Promoting Awareness Long-term Sustainment Metrics 51.52% 30.19% 45.83% 37.36% 52.71%
& Behavior Change & Culture Change Framework
0 50 100 150
$102,396.35
Compliance-focused number of programs
Total Average Salary Amount
$101,309.00
COVID Challenges
Promoting Awareness Long-term Sustainment Metrics
Non-existent Compliance-focused
& Behavior Change & Culture Change Framework
2.0
AVERAGE
2.67 0
Increased Dimished Diminished Training Budget Reduction
0 5 10 15 20 Cyber Threats Audience Focus Company Focus Technology
average team size
18 19
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
Background
250
150
50
16 84 101 38 20
0
A PAC
0 100 200 300 Physical Information Information Marketing/ Comm/ Human Legal/ Software Training Other
number of programs Security Technology Security Graphic Public Resources Audit/ Development
Design Relations Compliance
Non-existent Compliance-focused
Promoting Awareness Long-term Sustainment Metrics 39.46% 32.39% 42.75% 44.80% 68.69%
& Behavior Change & Culture Change Framework
Non-existent
Promoting Awareness Long-term Sustainment Metrics
3 & Behavior Change & Culture Change Framework
Salary
20 76 93 67
Average Salary Amount
$101,309.00
COVID Challenges
Promoting Awareness Long-term Sustainment Metrics
Non-existent Compliance-focused
& Behavior Change & Culture Change Framework
2.0
AVERAGE
2.48 0
Increased Dimished Diminished Training Budget Reduction
0 5 10 15 20 Cyber Threats Audience Focus Company Focus Technology
average team size
20 21
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
Background
250
150
50
20 153 218 83 44
0
A PAC
0 200 400 600 Physical Information Information Marketing/ Comm/ Human Legal/ Software Training Other
Security Technology Security Graphic Public Resources Audit/ Development
number of programs
Design Relations Compliance
Non-existent Compliance-focused
Promoting Awareness Long-term Sustainment Metrics 19.93% 29.89% 35.98% 44.36% 45.48%
& Behavior Change & Culture Change Framework
$101,309.00
COVID Challenges
Promoting Awareness Long-term Sustainment Metrics
Non-existent Compliance-focused
& Behavior Change & Culture Change Framework
2.0
AVERAGE
2.47 0
Increased Dimished Diminished Training Budget Reduction
0 5 10 15 20 Cyber Threats Audience Focus Company Focus Technology
average team size
22 23
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
Summary of
Develop Partnerships
G LOBA L
priorities. Don’t talk about what you are doing, side of risk. As a starting point, consider having engaging them and making that training simple to
talk about WHY you are doing it, and specifically a 10 to 1 ratio of technical security professionals understand and follow. In many ways training is just like
demonstrate how security awareness is effectively to human-focused security professionals. working out – it is the frequency that is important.
managing your organization’s human risk.
Break Down Your Needs
Create a Sense of Urgency Document all the different steps and initiatives you
Does leadership perceive the human as a significant need to take for your security awareness program
risk? Leverage data and statistics to demonstrate to to be effective. These can include working with
leadership the need to address human risk. Work with the security team to identify and monitor your
your Security Operations Center, Incident Response, or top human risks, working with Audit and Legal
Cyber Threat Intelligence Teams to better document for compliance purposes, partnering with Human
key human risks and show how people are one of the Resource and Communications for employee
NALA
largest drivers for incidents at your organization. outreach and training, working with IT, developers,
and other technical staff to design role-based
Communicate the Impact training, etc. If you can identify and document the
Dedicate two to four hours a month to collecting number of full-time employees needed for each of
information about the impact and value of your these efforts, and at the same time demonstrate
awareness program and communicating it to leadership. the value of these efforts, leadership will have
This information can include informal metrics, a better understanding of why you need more
established key performance indicators, or even success help. If you can’t hire full-time employees on your
stories. Enable leadership to better understand and team, see if you can hire short-term contractors
regularly see the value that your program is providing. to take on and help manage specific initiatives.
SUM MARY
24 25
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
easy for you are most likely difficult, confusing, and with your Communications or Marketing Department,
intimidating for most others. One of the biggest or even embedding a staff member from those
challenges security professionals often face is departments in your security awareness team. Or,
making security simple for their workforce. consider acquiring the appropriate skills yourself
to more effectively engage your workforce. Review
the Career Development section in Appendix B.
Leadership or security teams often perceive security the security team to create policies that are
awareness not as part of security, but rather as easier for people to understand and follow, and
a compliance effort that has little relevance to partner with the Incident Response team to assist
managing risk. To help change such perceptions, in any incident communications, internally or
focus on and speak in terms of managing human externally. Work with senior leadership on table-top
risk. Human risk is far more aligned with most exercises to rehearse senior leadership incident
organization’s strategic security priorities, far response abilities. You have a huge number of
more likely to gain leadership buy-in, and far opportunities to expand your value to the security
more likely to resonate with a security team. Help team and leadership, so make the most of them!
your security team identify your top human risks
and the key behaviors that manage those risks. Develop Your Skills
Demonstrate how effective communications, Review Appendix B on Career Development. For those
NALA
training, and engagement is changing those of you without a security or a technical background,
key behaviors and reducing human risk. you may want to develop your understanding of
security fundamentals so that you have a better
Expand Your Role understanding of the terms, technologies, and
Far too often, security awareness professionals challenges involved. You are not expected to become
are perceived simply as the individual responsible a technical expert (that is what a security team is
for the annual computer-based training or some for), but it is important to have an understanding
similar activity. However, as a leader in managing of the models, frameworks and terminology.
human risk, your role can and should be so much This will enable you to better understand your
more. Work with the security team to improve and organization’s risks and communicate with others
SUM MARY
simplify its communications with your workforce, about them, and you will be perceived as more
help manage security tool rollouts to your workforce valuable by your more technical team members.
Download
26 27
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
Appendix B.
G LOBA L
a wide range of security topics across the entire change. Change in not only how people think
security stack. Data, network, host, application, about security, but what they prioritize and how
and user controls are covered in conjunction with they act, from the Board of Directors on down.
key management topics that address the overall Organizational change is a field of management
Career Development
security lifecycle. This also includes governance study that enables organizations to analyze, plan,
and technical controls focused on protecting, and then improve their operations and structures
detecting, and responding to security issues. by focusing on people and culture. The two-day
MGT521 course teaches leaders how to leverage
SANS SEC301: Introduction to Cybersecurity. the principles of organizational change, enabling
Jump-start your security knowledge with insight them to develop, maintain, and measure a
A critical takeaway from the 2022 report is that and risk analysis. Those new to communications and instruction on critical introductory topics security-driven culture. Through hands-on, real-
your compensation as a security awareness and engagement will learn key concepts such as that are fundamental to cybersecurity. This five- world instruction and a series of interactive labs
A PAC
professional is in large part driven by your training the Attention, Interest, Desire, and Action Model day course takes a technical approach for those and exercises where you will apply the concepts
and skills, including understanding key concepts and the Start with Why and Curse of Knowledge new to cybersecurity. It covers everything from of organizational change to a variety of different
of cybersecurity and risk management. Security concepts, along with other models and principles. core terminology to the basics of computer security initiatives, you will quickly learn how to
awareness is ultimately about risk management, Course content is based on lessons learned from functions and networks, security policies, password embed cybersecurity into your organizational culture.
so the better you understand the concepts of hundreds of security awareness programs from usage, cryptographic principles, network attacks
security, the more effective you are not only at around the world. You will learn not only from and malware, wireless security, firewalls and
managing human risk but at communicating your instructor, but from extensive interaction many other security technologies, web and Advanced Level
that risk (and your value) to leadership. Skills with your peers. Finally, through a series of labs browser security, backups, virtual machines, and
such as communications, project management, and exercises, you will develop your own custom cloud computing. All topics are covered at an Once you have five to seven years of experience
and partnership are key to a successful security security awareness plan that you can implement introductory level. The hands-on, step-by-step and want to truly develop your security leadership
awareness career, but as this field matures you as soon as you return to your organization. teaching approach enables you to grasp all the skills, consider MGT514. This course will walk
EMEA
also need to understand the fundamentals of information presented, even if some of the topics you through the strategic planning process and
cybersecurity. You neither need nor are expected are new to you. You’ll learn real-world cybersecurity challenges faced by Chief Information Security
to develop a deep set of technical security skills, What Next? fundamentals to serve as the foundation of your Officers (CISOs). Many people consider this the
but you do need to build and understand key career skills and knowledge for years to come. “CISO course,” helping develop new and experienced
fundamentals such as security frameworks, risk Once you have the basics down and want to further CISOs become better security leaders. By better
assessments, and cyber threat actors and their develop your skills and career, you may need to Not sure which one of these two courses to understanding CISO challenges, priorities, and
relevant tactics, techniques, and procedures. As such, develop your security expertise if you do not have take? If you are looking for more of a high- concerns, you can more effectively collaborate with
this appendix presents a career development path a technical or security background. Understanding level or management perspective on the them and communicate in their terms and language.
to help you strengthen your security knowledge. the fundamentals will not only help you better world of information security, we recommend
understand the risks and the behaviors that manage MGT512. If you want a more hands-on, technical SANS MGT514: Security Strategic Planning, Policy,
those risks, but also empower you to more effectively introduction to the tools and technology of and Leadership. This five-day course gives you
Where to Start communicate with your security team and security cybersecurity, then we recommend SEC301. the tools to become a security business leader
NALA
leadership. There are two different five-day courses who can build and execute strategic plans that
If you are new to the world of information to consider at this stage in your career. Each has its resonate with other business executives, create
security and/or security awareness, the very advantages, depending on what you hope to achieve. Intermediate Level an effective information security policy, and
first course you may want to start with is: develop management and leadership skills to
SANS MGT512: Security Leadership Essentials for Once you have two to four years of experience better lead, inspire, and motivate your teams.
SANS MGT433: SANS Security Awareness: How to Managers. This five-day course empowers you in security awareness and feel confident
Build, Maintain, and Measure a Mature Awareness to become an effective security manager and in the concepts of both cybersecurity and By actively growing your skills
Program. This two-day course lays the foundation get up to speed quickly on information security organizational behavior, we recommend MGT521. and knowledge, you can become
for understanding security awareness, managing issues and terminology. You won’t just learn a more effective leader and
human risk, and ultimately changing organizational about security, you will learn how to manage SANS MGT521: Driving Cybersecurity Change: at the same time dramatically
SUM MARY
behavior. Those new to security will gain a better security. To accomplish this goal, MGT512 covers Establishing a Culture of Protect, Detect and improve and broaden your
understanding of concepts such as risk management Respond. Cybersecurity is no longer just about career opportunities.
technology, it is ultimately about organizational
28 29
S A N S 2 0 2 2 S E C U R I T Y A W A R E N E S S R E P O R T TM
Acknowledgments
G LOBA L
The 2022 Security Awareness Report was developed by the community for the community, in
partnership with the SANS Institute. The following key contributors produced this report.
Dan DeBeaubien Lance Spitzner The authors would like to thank the team from the Kogod Cybersecurity Governance Center (KCGC)
Dan joined SANS in 2014 and serves as the Director Lance Spitzner has more than 25 years of security for their key role in the independent analysis of the data in this report. KCGC is a research initiative
of Digital Innovation focusing on digital products and experience in cyber threat research, security of American University’s Kogod School of Business that conducts research to equip today’s business
Security Awareness and Human Risk product strategy. architecture, and awareness and training. He leaders with the best actionable intelligence on cybersecurity and privacy. KCGC’s expertise spans
Dan is a 30-year veteran of information technology helped pioneer the fields of deception and cyber multiple areas, including data privacy, cybersecurity, data management, and data analytics.
and a former CTO for Michigan Technological intelligence with his creation of honeynets and
University. He has held a variety of posts throughout his founding of the Honeynet Project. In addition,
his career, including Senior Systems Administrator, Lance has published three security books, consulted Dr. Heng Xu Dr. Nan Zhang
Senior Telecommunications Engineer, and Director in more than 25 countries, and helped more Dr. Heng Xu is a Professor of IT & Analytics at the Dr. Nan Zhang is a Professor of IT and Analytics at
of Information Technology Services and Security. than 350 organizations build security awareness American University’s Kogod School of Business, the American University’s Kogod School of Business.
EMEA
Before joining the SANS team, Dan created Michigan and culture programs to manage their human where she also serves as the Director for the Kogod Dr. Zhang is a world-renowned expert on database
Tech’s Information Security Office and held the risk. Lance is a frequent presenter and a serial Cybersecurity Governance Center. Before joining systems and data analytics, having published more
positions of Chief Information Security Officer tweeter (@lspitzner), and he works on numerous Kogod, she had both an academic and government than 100 research papers and served as a program
and Chief Information Compliance Officer. community projects. Before entering the information background. She was a professor at Penn State for director at the U.S. National Science Foundation
security field, Lance served as an armor officer 12 years, as well as a program director at the U.S. (NSF). Before joining Kogod, Dr. Zhang was a
in the U.S. Army’s Rapid Deployment Force and National Science Foundation (NSF) for three years. Dr. Professor of Information/Computer Science at Penn
earned his MBA from the University of Illinois. Xu’s current research focus is on information privacy, State University, George Washington University,
data ethics, and data analytics. She has received and UT Arlington. His has received several awards
many awards for her work, including the Woman for his work, including the Communications of the
of Achievement Award in IEEE Big Data Security ACM Research Highlight (2020), the ACM SIGMOD
(2021), the IEEE ITSS Leadership Award in Intelligence Research Highlight Award (2019), the NSF CAREER
and Security Informatics (2020), the Operational Award (2008), and many best paper awards and
NALA
Research Society’s Stafford Beer Medal (2018), the nominations at various leading research conferences.
NSF CAREER Award (2010), and many best paper
awards and nominations at various conferences.
SUM MARY
30 31
About SANS Security Awareness
SANS Security Awareness, a division of the SANS Institute, provides
organizations with a comprehensive security awareness solution
that enables them to easily and effectively manage their human
cybersecurity risk. SANS Security Awareness has worked with
more than 1,300 organizations and trained more than 6.5 million
people around the world. The program offers globally relevant
and expert-authored tools and training to help individuals shield
their organization from attacks, as well as a fleet of savvy guides
and resources to guide their work every step of the way.