Moving beyond Security Awareness and onward with Security Competence

While Security Awareness is important, the focus on Competence ensures that the employee has real Cyber Security skills that can be applied in a Cyber Risk situation.

Security Competence

Awareness is the know-how of a fact or situation. Whereas, competence is a specific range of skill, knowledge or ability. To develop a strong Cyber Security culture, organizations must go beyond Security Awareness training and help their employees acquire valuable Cyber Security skills.

Awareness and Competence

How much the end-user knows and What can the end-user do?

There is a fine line that separates awareness training and competence-based learning. For example;

Awareness: Knowing how a VPN/encryption work…

Competence: Turning on a VPN when connecting from outside the office even if the WiFi connection is encrypted

Awareness:Knowing that fake websites can steal information

Competence: Identifying a fake website even though it may have an SSL certificate

Awareness: Knowing that some mobile apps can sniff/ steal information

Competence:Securing a personal mobile device before activating business email

As it can be seen from the above examples, a “competence” focused approach will give end-users valuable and practically applicable Cyber Security skills. Hence, the question Cyber Security managers must ask is;

“Is my Cyber Security training providing valuable skills to the end-users that they can apply when confronted with real Cyber Risk situations?”

The answer lies in expanding the focus beyond Security Awareness to Security Competence.

Measuring effectiveness using awareness scores alone may be misleading

An important aside that must be covered at this point is the dependence on assessments to measure the effectiveness of Cyber Security training.

Most Cyber Security training programs measure awareness using quizzes. It is important to remember that these assessments are only testing “how much the user knows?”. These assessments do not test “what the user can do?”

Such assessments may lead to a false sense of confidence. And, it is quite normal a practice to make these assessments easy for the end-user to ace.

Using the Learning by Doing method

To build a knowledge base one must acquire experiences

Learning by doing focuses on doing an activity and experiencing an outcome. In effect, this approach helps in acquiring experiences. And, to build a strong knowledge base one must-have experiences.

Learning by doing using 3D Virtual simulations

3D/ Virtual simulations is a practical solution for competence-focused Cyber Security training. Recently, at my company, we started experimenting with simple, practical, everyday Cyber Security risk situations that the end-user can relate to. See an example below.

Hence, the learning by doing approach, when used in Cyber Security training helps the learner to

actively involved in a Cybersecurity risk situation

use and sharpen analytical skills to mitigate the risk

take decisions based on the analysis

reflect on the outcome of the decision

Despite being positive or negative, the outcome of this approach creates an experience. By acquiring Cyber Security experiences over a period of time, the end-user builds a strong base of Cyber Security knowledge and skills.


Competence-focused Cyber Security training will go beyond awareness in acquiring Cyber Security skills, that may seem simple but is of immense value. Slowly, but surely, over a period of time you will have employees who will know,

where to look?

what to click (or, not-to)?

what to search?

what to turn-on or turn-off?

…when confronted with a Cyber Security risk.