Rise of AI-Powered Security Awareness Training In the Workplace
- By Erich Kron, KnowBe4
- July 20, 2024
While generative AI (GenAI) became widely adopted in late 2023 with the introduction of ChatGPT and similar tools, chatbots have actually been around since the 1960s. Until recently, it wasn’t readily available to the general public. Broad consumer adoption raised awareness of the potential and peril of these tools; organizations recognize the importance of leveraging the potential while acknowledging and taking steps to respond to its perils.
One interesting application for AI in the workplace is security awareness training. Cyber threats are continually emerging, prompting the need for ongoing training and education. AI offers opportunities to streamline training and apply it in more focused and personalized ways.
Personalized learning
Employees have different needs for threat awareness training and security maturity and understanding levels. For example, IT or security employees need more technical training than employees in sales and marketing. AI offers the opportunity to analyze individual employee roles, responsibilities, and knowledge levels to create personalized learning experiences. This can not only help improve learning outcomes but can improve participation and satisfaction with training programs.
AI technology can also extend the reach of training with less time and effort. Consider, for instance, the possibility of creating one training program in English and then, through AI, recreating multiple versions to be delivered to different global user locations.
Predictive training applications
AI can be used to analyze patterns in employee behaviors and predict potential security risks so targeted training interventions can be automatically applied. A proactive approach like this can help address new vulnerabilities before they spread and evolve into full-fledged threats.
Following a phishing simulation, training can be provided to employees based on how they responded to the simulation, offering refreshers for those who need it or providing increasingly more difficult-to-identify phishing exercises for those who are more adept.
Training and information on demand
Chatbots equipped with natural language processing (NLP) capabilities can offer employees real-time access to answers and information they need related to security. This makes extending training beyond formal sessions possible to make the information accessible and always available.
AI-powered systems can adjust training content in real time as training is delivered. If an employee struggles with part of the content or concepts, additional explanations or examples can be provided.
Making it fun
Simulations and challenges can be fun, as well as learning what might otherwise be dry or dull security-related content. AI can add gamification elements to the training, dynamically adjusting difficulty levels and challenges based on individual progress. Virtual- and augmented reality can be used to simulate experiences in a game-like environment. Accompanying gamified training delivery with challenges and rewards can help engage employees and keep them motivated while learning.
Continuous improvement through analytics
Analytics can be applied to assess user behaviors and monitor social engineering risks continuously. Continually monitoring training metrics beyond participation or completion to assess learning outcomes can offer insights to ensure training efforts are focused on measurable and meaningful outcomes. Creating active feedback loops will improve employee security awareness and your overall organizational security culture.
Best practices for implementing AI-powered security awareness
To get optimum value from AI-powered security awareness efforts, it’s essential to follow some best practices:
- Establish clear objectives. Determine the outcomes you are looking to achieve from training efforts upfront. Maybe it’s increasing the level of awareness or understanding of a particular concept. Or perhaps it’s reducing the number of employees who fall prey to phishing simulation efforts.
- Combine AI with human expertise. Despite AI's great value to security awareness training efforts, human input still matters. Incorporate input from security staff and other subject matter experts to ensure the accuracy and applicability of training content.
- Continuously update and refine. The field of data security changes regularly as new tools and risks emerge. Ensure you’re keeping the training content current to address trends. Analytics can provide important insights regarding what’s working well and what needs to be adjusted.
- Provide context. Augment your training content with real-world examples and exercises to make it more engaging and likely to drive understanding. Don’t just tell — show.
- Integrate with existing systems. Your AI-driven security training shouldn’t exist in a vacuum. Make sure that it is embedded with your existing learning management systems and security infrastructure to ensure a cohesive experience.
- Seek ongoing feedback. Participation rates are only one measure of engagement. Seek employee feedback to ensure the information being delivered is relevant and meaningful. Seek ideas from employees on new ways to provide training or new topics to cover. Enlist their support in creating and delivering training. The more engaged they are, the more they feel their input is valued, and the greater the likelihood that security training efforts will stick.
We’re only beginning to understand GenAI's full impact on our ability to deliver timely and measurably relevant security awareness training. However, ample opportunities and examples exist to help drive efficiencies and greater effectiveness through the power of AI.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/Jacob Wackerhausen
Erich Kron, KnowBe4
A 25-year veteran information security professional with experience in the medical, aerospace, manufacturing and defense fields, Erich Kron is a Security Awareness Advocate for KnowBe4. Author and regular contributor to cybersecurity industry publications, he was a security manager for the U.S. Army's 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP and many other certifications. Erich has worked with information security professionals worldwide to provide the tools, training, and educational opportunities needed to succeed in information security.