安全意识计算机培训的魔力象限-EN.pdf

This research note is restricted to the personal use of danrob2@washington.edu.

This research note is restricted to the personal use of danrob2@washington.edu.

Magic Quadrant for Security Awareness

Computer-Based Training

Published: 18 July 2019 ID: G00378818

Analyst(s): Joanna Huisman

People influence security more than technology or policy, and cybercriminals

know how to exploit human behaviors. Security and risk management

leaders should invest in tools that increase awareness and influence

This document was revised on 24 July 2019. The document you are viewing is the corrected

version. For more information, see the Corrections page on gartner.com.

People affect security outcomes more than technology, policies or processes. The market for

security awareness computer-based training (CBT) is driven by the recognition that, without perfect

cybersecurity protection systems, people play a critical role in an organization’s overall security and

risk posture. This role is dened by inherent strengths and weaknesses: people’s ability to learn and

their vulnerability to error, exploitation and manipulation.

End-user-focused security education and training is a rapidly growing market. Demand is fueled by

the needs of security and risk management (SRM) leaders to help inuence the behaviors that affect

the security of employees, citizens and consumers.

This research note is restricted to the personal use of danrob2@washington.edu.

This research note is restricted to the personal use of danrob2@washington.edu.

leaders — such as human resource (HR) managers — to recognize the increasing impact of

employee behavior on enterprise SRM efcacy. This is due in no small part to increased enterprise

and employee adoption of mobile, Internet of Things (IoT) and cloud products.

Security Awareness Is a Far-Reaching Concept

As often emphasized in Gartner research on security awareness, security decisions are closely

linked to business objectives. This research focuses on the appreciable market space in which

education materials are offered. In this research, Gartner uses “security education” to refer to the

overarching set of activities and objectives that elevates security competencies and motivates

employees to make better decisions in line with the organization data security postures. The

organization’s education process should prepare the staff for decisions that align with enterprise

enterprise requirements for the management of security risks. Security education can fulll multiple

objectives and requirements, including:

■

Complying with regulations that mandate security training

■

Establishing clear behavioral guidelines to support disciplinary processes, which are typically

described in acceptable-use and/or security policies

■

Improving employee knowledge of security and risk topics

■

the learning outcomes they are looking for prior to vendor engagement.

Relevancy and adaptation are key imperatives for SRM leaders. Most organizations have invested in

some form of security awareness activities for decades. New technologies, threats and patterns of

work compel organizations to seek more-sophisticated behavioral support approaches. These

incorporate a broad range of deployment models, increased frequency of learning opportunities,

context-specic training content and structure, and metrics that support continued investment in

awareness and security education.

This research note is restricted to the personal use of danrob2@washington.edu.

This research note is restricted to the personal use of danrob2@washington.edu.

program. The result is an increasing demand for the measurement of persistent learning outcomes.

Some organizations offer preassessment, so that employees can “test out” some of the courseware,

if they are able to demonstrate knowledge mastery, and to create a baseline by which future

performance can be measured.

to-use, interactive software modules. These modules are available as internet-based services or on-

premises deployments via client-managed learning management systems (LMSs) and vendor

support for the Sharable Content Object Reference Model (SCORM) standard. The products

included in this Magic Quadrant support multilingual and multicultural audiences — that is, they are

available in English and at least one other language. They offer delivery via a variety of digital

endpoints and assessments of trainee participation and completion.

As products in this market mature, each vendor looks to differentiate its products and services in a

Content continues to be the most prominent differentiator. Many clients and vendors recognize that

their security training cannot effectively be approached with a “one-size-ts-all” mentality. They are

developing content of different lengths (one- to two-minute microlearning lessons, interactive

lessons, and episode-based, Netix-like shows) and in different styles — e.g., ranging from

extremely corporate-friendly and “safe” to more edgy, humorous styles. Learners have different

styles (e.g., visual, aural, logical, verbal, physical, social and solitary), which means audiences can

receive the same information in multiple forms, thereby increasing the possibility for information

absorption and retention. Customization of content also addresses the needs of particular roles or

audiences. For instance, although training for all audiences should include foundational awareness,

there may be a need for additional/different training for call center employees, executives or HR

This research note is restricted to the personal use of danrob2@washington.edu.

This research note is restricted to the personal use of danrob2@washington.edu.

traditional CBT methods.

Some vendors include a focus on gamication, although the denition of gamication varies from

vendor to vendor. Clients initially expect an experience that is similar to Xbox or PlayStation, but

quickly realize that the security awareness gamied content is nowhere near that level of

sophistication. In this context, “gamication” includes the establishment of multidepartment

leaderboards and badges, so that departments/employees are ranked against each other in various

ways. Some vendors that provide gamication as an option are also thinking differently about

reward and recognition options for users who exhibit heightened security behaviors (see “Rewards

and Consequences Motivate Employee Secure Behavior”). Some vendors are also introducing

virtual reality content to provide learners with unique experiences.

promote many languages, only subsets of their library are offered in every language. Demand

clarication upfront on what is translated into all the languages you require across your enterprise.

In recognizing that SRM leaders are not full-time content writers, graphic designers or marketing

experts, many security awareness CBT vendors offer large libraries of predesigned content to serve

as additional/supplemental campaign artifacts or for ad hoc communications. These can include

materials for newsletters, intranet postings, emails, security alerts, digital banners and security

information for families and more.

Price continues to be the biggest disruptor in the market. As a result, most of the vendors in this

Some vendors are also exploring interesting partnerships with core security technology vendors,

such as employee-monitoring vendors, endpoint detection and response (EDR) vendors, endpoint

This research note is restricted to the personal use of danrob2@washington.edu.

This research note is restricted to the personal use of danrob2@washington.edu.

others. The goal of such partnerships is to be able to:

■

Leverage real-time data generated or collected by core technologies

■

Log data to provide just-in-time learning, based on observed unsecure behavior exhibited by an

employee

■

Provide a comprehensive product that covers technology to human behavior

Multiple mergers and acquisitions occurred in 2018, resulting in market consolidation. This

movement indicates an ongoing trend — i.e., additional mergers and acquisitions (M&A). This

research focuses primarily on the vendor market performance during the 2018 calendar year, but

also includes market and capability changes that took place in the rst quarter of 2019.

In 2018, the market grew to roughly $451 million, which falls approximately $40 million short of our

original projection. This miss was the result of inaccurate reporting from two separate vendors.

However, all indications suggest that the market is well-positioned for high growth and will remain

so during the next ve years. We estimate the market will grow by approximately 47% in 2019 and

reach $660 million (see Note 2). Gartner continues to experience an increase in inquiries year over

year, as end-user organizations continue to struggle with changing employee behaviors with respect