Table of Contents
1. Summary
Designing a defense strategy against cyber threats for systems, networks, and data that focuses only on technologies does not guarantee an organization’s information assets will be protected. Neglecting the risk associated with the human factor for securing the company’s perimeter is an oversight that sooner or later will be exploited by cybercriminals. The statistics prove it. The majority of successful cyberattacks are made possible by accidental human failure, often due to a person’s lack of vigilance, ignorance of the issues and risks related to certain behaviors, or a lack of commitment to contributing to the defense of the organization’s security.
The question that arises, therefore, is how to make employees themselves a firewall against cyberthreats. The answer involves the systematization of awareness and training in security concerns for all company employees.
This is nothing new because security awareness and training (SA&T) programs have been around for a relatively long time in the IT world. And yet attacks exploiting human vulnerability continue to succeed.
Why? The battle to capture the very fragmented attention of employees during training is ongoing. The challenge is no longer just about the content of SA&T programs but increasingly about the mechanisms, methods, and means of delivering the content in such a way that it is impressed on the mind of each employee. The goal is to both change the organizational culture toward security and to impact employee behavior to support it.
The market’s response to this challenge comes from companies that were already specialized in the training of cybersecurity experts or from young and innovative offshoots that were launched specifically to address the need for SA&T in organizations.
The notable difference between the two types of SA&T providers lies in the way they approach the issue. Those already involved in training tend to concentrate on the breadth and richness of the cybersecurity library content, while those newer to the SA&T field focus more on how that content is delivered, with the clear and stated goal of having an observable and measurable impact on individual behaviors and enterprise cultural changes. To do this, these providers use psychological concepts governing the mechanisms of behavior change in humans coupled with innovative pedagogical concepts. SA&T subjects are delivered in micro and nano capsules dealing with a particular point or by resorting to audiovisual or gamification techniques from the world of entertainment.
Clearly, both content and delivery are important, so the choice of an SA&T product should consider not only the richness and continuous renewal of the cybersecurity library content but also the methods, means, and format of delivering of security topics.
This GigaOm Radar report highlights key SA&T vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating Security Awareness and Training Solutions,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.
2. Market Categories and Deployment Types
To better understand the market and vendor positioning (Table 1), we assess how well solutions for SA&T are positioned to serve specific market segments and deployment models.
For this report, we recognize two market segments:
- Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Also assessed are departmental use cases in large enterprises where ease of use and deployment are more important than extensive management functionality, data mobility, and feature set.
- Large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category have a strong focus on flexibility, performance, data services, and features to improve security and data protection. Scalability is another big differentiator, as is the ability to deploy the same service in different environments.
In addition, we recognize three deployment models for solutions in this report:
- Software only (training modules only): The product is limited to the library content as a package of training modules.
- Virtual appliance: The product includes training content and management and administration tools that the customer can deploy on its infrastructure.
- Software as a service (SaaS): The product includes training content and management and administration tools as a SaaS solution.
Table 1. Vendor Positioning
Market Segment |
Deployment Model |
||||
|---|---|---|---|---|---|
| SMB | Large Enterprise | Software Only (Training Modules Only) | Virtual Appliance | SaaS | |
| Arctic Wolf | |||||
| CybSafe | |||||
| Hook Security | |||||
| InfoSec | |||||
| KnowBe4 | |||||
| MetaCompliance | |||||
| NINJIO | |||||
| OutThink | |||||
| SANS | |||||
| SMARTFENSE | |||||
|
Exceptional: Outstanding focus and execution |
|
Capable: Good but with room for improvement |
|
Limited: Lacking in execution and use cases |
|
Not applicable or absent |
3. Key Criteria Comparison
Building on the findings from the GigaOm report “Key Criteria for Evaluating SA&T Solutions,” Tables 2, 3, and 4 summarize how well each vendor included in this research performs in the areas we consider differentiating and critical for the sector: key criteria, evaluation metrics, and emerging technologies.
- Key criteria differentiate solutions based on features and capabilities, outlining the primary criteria to be considered when evaluating SA&T solutions.
- Evaluation metrics provide insight into the impact of each product’s features and capabilities on the organization.
- Emerging technologies and trends indicate how well the product or vendor executed against the technologies and trends identified in the previous report.
The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.
Table 2. Key Criteria Comparison
Key Criteria |
|||||
|---|---|---|---|---|---|
| Cybersecurity Training Library | Multiple Language Support | Variety of Delivery Methods & Formats | Enterprise Integration | Advanced Reporting | |
| Arctic Wolf |
|
|
|
|
|
| CybSafe |
|
|
|
|
|
| Hook Security |
|
|
|
|
|
| InfoSec |
|
|
|
|
|
| KnowBe4 |
|
|
|
|
|
| MetaCompliance |
|
|
|
|
|
| NINJIO |
|
|
|
|
|
| OutThink |
|
|
|
|
|
| SANS |
|
|
|
|
|
| SMARTFENSE |
|
|
|
|
|
|
|
Exceptional: Outstanding focus and execution |
|
|
Capable: Good but with room for improvement |
|
|
Limited: Lacking in execution and use cases |
|
|
Not applicable or absent |
Table 3. Evaluation Metrics Comparison
Evaluation Metrics |
||||||
|---|---|---|---|---|---|---|
| Ease of Deployment & Implementation | Ease of Administration & Management | Ease of Use by End-Users | Impact on Organizational Culture & Behavior Change | Vendor Service & Support | Vision & Roadmap | |
| Arctic Wolf |
|
|
|
|
|
|
| CybSafe |
|
|
|
|
|
|
| Hook Security |
|
|
|
|
|
|
| InfoSec |
|
|
|
|
|
|
| KnowBe4 |
|
|
|
|
|
|
| MetaCompliance |
|
|
|
|
|
|
| NINJIO |
|
|
|
|
|
|
| OutThink |
|
|
|
|
|
|
| SANS |
|
|
|
|
|
|
| SMARTFENSE |
|
|
|
|
|
|
|
|
Exceptional: Outstanding focus and execution |
|
|
Capable: Good but with room for improvement |
|
|
Limited: Lacking in execution and use cases |
|
|
Not applicable or absent |
Table 4. Emerging Technologies Comparison
Emerging Tech |
||
|---|---|---|
| Targeted User Training | On-the-Infraction-Spot Learning | |
| Arctic Wolf | ||
| CybSafe | ||
| Hook Security | ||
| InfoSec | ||
| KnowBe4 | ||
| MetaCompliance | ||
| NINJIO | ||
| OutThink | ||
| SANS | ||
| SMARTFENSE | ||
|
|
Exceptional: Outstanding focus and execution |
|
|
Capable: Good but with room for improvement |
|
|
Limited: Lacking in execution and use cases |
|
|
Not applicable or absent |
By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.
4. GigaOm Radar
This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report based on their products’ technical capabilities and feature sets.
The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.
Figure 1. GigaOm Radar for Security Awareness and Training
As you can see in the Radar chart in Figure 1, there are two providers who are in the Leaders circle and two primary Challengers who are close behind them. The remaining providers are spread out across the Challengers ring.
InfoSec is a Leader in the Maturity/Platform Play quadrant. It has depth, experience, and a solid position in the field of cybersecurity training, with a training platform that allows content management, user administration, and integration with its customers’ enterprise ecosystems.
KnowBe4 is a Leader in the Maturity/Feature Play quadrant. KnowBe4 was an early provider in this space, developing an SA&T product with innovative features related to both content and delivery formats. KnowBe4’s offering has since matured, and its brand is more established.
OutThink and NINJIO are Challengers, both on a trajectory to enter the Leaders circle in the near future and both located in the Innovation half of the Radar (though OutThink is on the Feature Play side and NINJIO is on the Platform Play side). These are SA&T native vendors, and being relatively new, they seem to have a good potential for progress. OutThink is innovative in its approaches to the SA&T content and delivery mechanisms. For example, OutThink users do not need to identify themselves or login to take a course, though their progress is nevertheless monitored and observed. Moreover, the product is able to monitor the learner’s attitude during training and adapt to the learner’s context or constraints. NINJIO has innovative features related to content delivery, with a delivery model based on capturing the learner’s attention through a TV show-like approach.
CybSafe and Hook Security are Challengers in the Innovation/Feature Play quadrant and have innovative approaches to both content design and content delivery. Arctic Wolf is a Challenger in the Innovation/Platform Play quadrant and is in the process of expanding its security operations center as a service (SOCaaS) offering by adding SA&T capabilities.
MetaCompliance and SMARTFENSE are Challengers in the Maturity/Platform Play quadrant; both companies have added an SA&T offering to their existing platforms. SANS is a Challenger in the Maturity/Feature Play quadrant due to its lack of the kind of extended capabilities typically associated with platforms.
Given the dynamic nature of the field and the ever-changing security landscape, this positioning is very likely to change in the next 12 to 18 months, especially in the Challenger circle.
Inside the GigaOm Radar
The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.
The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.
The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.
Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.
5. Vendor Insights
Arctic Wolf
Founded in 2012 and headquartered in Minnesota, US, Arctic Wolf’s core business is in SOC concierge services or SOCaaS, especially extended detection and response (XDR).
Arctic Wolf’s cybersecurity concierge service is based on a cloud-managed detection and response platform, which focuses on continuous vulnerability and risk monitoring and management. Using application programming interfaces (APIs) and machine learning (ML), Arctic Wolf is able to offer real-time monitoring, analysis, and alerts on user behavior and cloud resources, enabling businesses to combat cyber-crime and detect threats without having to build their own SOC.
The acquisition in September 2021 of an SA&T platform named Habitu8 marked Arctic Wolf’s entry into the market. Managed security awareness was added to its security operations concierge services offering.
Although its entry into the SA&T market is recent, we expect that in the medium term, Arctic Wolf will have a clear advantage over the competition, thanks to its access to the operational data generated in the SOCs it manages, particularly data related to cybersecurity incidents, whether accidental or intentional. This visibility into the real-time behavior of humans will allow the company to properly build, enrich, and renew its library of content as well as tune its delivery methods and means. As a result, it could be on its way to influencing changes in employee behavior and company culture in relation to information security. In Arctic Wolf’s case, enterprise integration with its client’s operations security stack is a strength.
Arctic Wolf realizes another advantage due to its position in the SOC managed services market, and that is its presence in various segments of the target markets. The diversity of its customer base allows it to contextualize both the content and its means of delivery to the end consumers.
The company is weak, however, in terms of multiple language support. Managed security awareness content is delivered primarily in English, though some microlearning sessions are available in American English, British English, German, and Spanish.
Arctic Wolf also should add to the kinds of delivery methods and formats available. The company focuses only on the microlearning format, which is interesting but not sufficient for an SA&T product.
Strengths: Arctic Wolf’s enterprise security stack integration is a valuable feed for SA&T content and delivery design. Its market positioning and penetration, thanks to its SOC-as-a-service concierge offering, provide diversified security contexts and realities.
Challenges: Managed security awareness content is primarily delivered only in English, and the focus on the microlearning format is too limited.
CybSafe
Founded in 2015 and headquartered in London, CybSafe launched in July 2017 as an SA&T vendor. As with most companies recently entering the SA&T market, its offering uses human psychology and behavioral science to manage human-related cyber risk. The company offers its SA&T product as a SaaS.
CybSafe’s solution aims to help businesses of all sizes contain cyber threats both internally and externally and within their supply chain by improving employee behavior and changing workplace culture regarding security.
One of the strengths of the CybSafe platform is its support for multiple languages. Indeed, it is translated into more than 15 languages. The company is aware that it still has a long way to go, in particular to ensure that the end-to-end translation of the entire platform in each of the supported languages is available.
The CybSafe platform also has excellent enterprise integration capabilities. These integrations can, for example, simplify user management and capture more user behavior data, including data from other predefined applications in the customer’s enterprise ecosystem, such as Slack, Microsoft Defender, and Okta.
Awareness training formats offered by Cybersafe are diversified; formats include modules, refresher testing, micro learning, nudges, goals, and on-demand help cards.
Strengths: The CybSafe platform scores very well on multiple language support and enterprise integration.
Challenges: The vendor should ensure that the end-to-end translation of the entire platform in each of the supported languages is available.
Hook Security
Founded in 2018 and headquartered in South Carolina, US, Hook Security is a native SA&T company. Like most such companies, the Hook Security platform design is based on human psychological concepts. In particular, the training is said to target the part of the brain that processes threat recognition and response, and this is used to teach people to identify and react to cyber threats and other manipulation by technology. The company provides training and resources related to phishing emails and ransomware attacks as well as for compliance.
Hook’s offering consists of two products:
- PsySec Essentials covers common everyday topics for everyone, such as phishing, password security, and secure remote working.
- PsySec Deep Dives drills down into complex subjects and makes them more accessible by using, for example, real scenarios and entertaining stories.
The Hook SA&T product meets expectations on most of the key criteria. Its library covers basic SA&T and compliance topics. However, its delivery method is limited to videos. We have not seen any other formats, such as micro and nano learning or gamification. Its integration capabilities are also lacking, limited only to Microsoft Azure. Moreover, language support is limited to English.
However, one of the important emerging technologies we noted relates to a just-in-time response to an employee’s risky security behavior, and Hook Security is on the right track here since this feature is already present in the context of a phishing simulation. This feature is referred to as an Instant Training Moment, which consists of activating microtraining videos for users who click on phishing simulations.
Hook Security’s SA&T product shows a lot of promise. The company is young and needs to expand and improve certain features as explained above.
Strengths: Hook’s Instant Training Moment approach is likely to resonate better with inadvertent offenders and to ultimately improve their security hygiene.
Challenges: More languages than English and more delivery formats than videos should be supported.
Infosec IQ
Founded in 2004, Infosec was acquired by Cengage Group, a global educational technology company, in 2022. Now a strategic part of the Cengage Work business unit, Infosec specializes in the training and education of cybersecurity professionals as well as non-security employees throughout an organization. Its initial clientele was employees with the responsibility to set up roadmaps, strategies, and tools to build strong security into the organization. Most of these people usually report to a team (division, management, or even vice-president) dedicated to securing the organization’s information assets.
However, it has been shown that the weakest link in an organization’s information security edifice is the organization’s employees and other resources and partners who have limited or no cybersecurity culture and awareness or are simply not engaged in helping to protect their organization information assets. Infosec’s advantage is that it’s able to leverage its long-standing expertise in developing quality role-based training for security professionals to create an SA&T platform, dubbed Infosec IQ, tailored to the mission of educating all employees and intended for use by the entire population of an organization.
With a library covering more than 800 subjects, Infosec scores very well on our library criterion. It includes all fundamental and advanced aspects of SA&T as well as regulatory compliance topics. The content is organized by industry, roles, behavior, and/or regulatory requirements, such as NIST 800-50.
Another strength of Infosec IQ is that it offers a variety of delivery methods and formats, such as animation capsules, live-action videos, and phishing simulations. Also, along with relatively long training capsules, most of IQ’s training modules are micro or nano learning courses and games of less than 10 minutes duration.
On the enterprise integration and advanced reporting criteria, Infosec scores high compared to its competitors. Infosec IQ integrates with endpoint protection suites, learning management systems, and identity management solutions via its SCORM capabilities. SCORM, which stands for Sharable Content Object Reference Model, is a set of technical standards for creating eLearning software products. Infosec IQ includes SCORM as a Service, which streams learning modules from a dedicated content delivery network (CDN) to enhance the learning experience.
The richness of Infosec’s prebuilt dashboards makes them usable by a range of employees—system administrators, executives, and learners. A variety of Infosec IQ training metrics are available, including Training Completion Rates mapped to NIST’s top nine recommendations, Completion of Training on Time (an indicator of employee commitment and willingness to prioritize training), and Fastest and Fastest Report Times (the difference between report speed and click-through speed, considered a powerful indicator of the likelihood an organization is ready to prevent a breach versus being compromised by a breach).
Infosec supports 35 different languages but could improve its offering with an end-to-end version of the product in each of the supported languages.
Infosec also scored high on our evaluation metrics, especially on ease of use by end users. Indeed, Infosec IQ makes training accessible to learners of all abilities. All training modules include closed captioning, audio descriptive tracks, and PDF transcripts and are compatible with assistive technologies like screen readers and keyboard navigation. Infosec IQ meets WCAG 2.1 AA and Section 508 compliance standards.
Strengths: Infosec’s cybersecurity training library covers all fundamental and advanced aspects of SA&T and regulatory compliance. The solution has a variety of features that make it easy for end users to learn from, regardless of their abilities. Infosec IQ meets WCAG 2.1 AA and Section 508 compliance standards.
Challenges: Infosec could improve its language support by offering an end-to-end version of the product in each of the supported languages.
KnowBe4
Founded in 2010 and headquartered in Florida, US, KnowBe4 is an SA&T native company. It was founded on the principle that the human side of cybersecurity is seriously overlooked. KnowBe4’s SA&T platform offers security awareness and phishing attack simulation training. It also provides a range of free and paid tools that help organizations test their employees’ security awareness.
The commercial KnowBe4 product is divided into three levels of access to training. Depending on the level of service purchased, the customer can take advantage of differing packages of rich and varied content.
KnowBe4’s SA&T platform is strong on all our key criteria. Its library holds more than 1,000 different training materials, including interactive modules, videos, games, posters, and newsletters, allowing the platform to cover very broadly both basic and advanced topics related to information security awareness aimed at the general population of an organization. In addition, training on regulatory compliance is also available.
The platform also has a good range of delivery formats. The basic training modules have durations ranging from five to 45 minutes, providing both specific, to-the-point short capsules focusing on a particular item and more wide comprehensive modules about a given security topic. These help ensure employees understand the mechanics of spam, phishing, spear phishing, malware, ransomware, and social engineering.
KnowBe4 also offers a range of reports that make it possible to monitor the effectiveness of security awareness training campaigns. Additionally, training reports can be generated for specific users or specific groups to help organizations ensure their most-at-risk employees engage with training materials and campaigns.
Though it’s more of an opportunity to improve than a weakness, administrators have indicated that the web console has the feel of a beta version and lacks the polish of a final product.
Strengths: KnowBe4’s library has more than 1,000 different training materials, including interactive modules, videos, games, posters, and newsletters. KnowBe4 offers a range of reports that track the effectiveness of security awareness training campaigns.
Challenges: Administrators have noted that the web console lacks the polish of a finished product.
MetaCompliance
Founded in 2005 and headquartered in London, MetaCompliance offers SA&T with the goal of increasing employee awareness of cybersecurity threats, reducing the risks associated with cyberattacks, and embedding a culture of security compliance in the organization.
MetaCompliance is a cloud-based platform. Its Customer API is hosted on Microsoft Azure App Services and can be accessed via the Azure API Management platform. This provides a method of collecting data from MetaCompliance without the need to log on to the platform and perform a manual task.
For most of the key criteria, the MetaCompliance Elements eLearning solution scores as expected for an SA&T product. The solution offers a good variety of delivery methods, with digestible snippets of cybersecurity training and user interactions in a microlearning format. It incorporates a rich graphical user interface (GUI) to engage end users and create a positive learning experience. This GUI includes animation, subtitles, live action, and interactive content. Custom content can be uploaded and integrated into courses recommended by MetaCompliance, and courses can be created and customized based on organization, department, or user type. Courses can be delivered to users via the MetaCompliance platform using a single access link without login required, or they can be accessed via a learning management system (LMS) or Microsoft Teams.
MetaCompliance offers advanced reporting capabilities. Reports can be automatically sent to relevant managers, without administrator intervention, to track and monitor non-compliant users and support their training completion. Engagement scores and risk ratings are calculated per user and at an overall organization level, based on each user’s interactions with their assigned courses, simulated phishing, policies, and surveys.
MetaCompliance’s Elements training library could use some enhancement. While it covers compliance-related topics such as GDPR and other regulations very well, it needs to include more diverse and varied topics related to SA&T.
The other challenge for MetaCompliance is related to vendor support. The company does not offer 24/7 support to clients, meaning that customers outside of the provider’s time zone may not receive the expected support during their business hours. Also, clients only get a customer success manager if they buy an enhanced support package.
Strengths: MetaCompliance offers cybersecurity training in digestible snippets and user interactions in a microlearning format. The capable reporting feature allows reports to be sent automatically to relevant managers, without administrator intervention, to track and monitor non-compliant users and support their training completion.
Challenges: The library content should be broadened to include more diverse and varied topics related to SA&T. Vendor support may not be available during some customers’ business hours if they are outside of MetaCompliance’s time zone.
NINJIO Aware
Founded in 2015 and headquartered in California, US, NINJIO is a native SA&T company.
The NINJIO solution can be deployed as a SaaS or as a content purchase for internal deployment on LMS/content delivery platforms. In the SaaS model, the NINJIO admin portal enables user management (including Active Directory and other provisioning tools), content management (training in specific topics, deployment of the recommended monthly courses, individual training for specific users, and so forth), simulated phishing campaign development, and management and reporting.
For the internal deployment on LMS/content delivery platforms, all content is uploaded to a cloud-based storage and sharing platform and becomes available to download by the client organization.
A significant strength of the NINJIO solution is the variety of delivery methods and formats it offers. These options include video, short-form blogs, infographics, and comics, as well as the individual delivery of timely content to each learner. There is also microlearning narrative teaching backed by quizzes and gamification, and admins can schedule any of the over 100 episodes to individual learners, groups, or organizations.
The NINJIO product is easy to use and can be deployed and operationalized within 24 hours. The solution does well in terms of its impact on organizational culture and behavior, thanks to its innovative TV show-like approach that arouses curiosity and captures the attention of the audience, thus providing the two key ingredients necessary to make an impression and change both the culture of an organization and the behavior of individuals.
In contrast, NINJIO’s library could use some upgrading. Although it offers more than 100 three-to-four-minute (microlearning) episodes, each concerning a specific real-life hack and its associated attack vector, plus a set of longer-form texts about the hack and mini-micro 90-second teachable video segments, in terms of content, it mainly covers general awareness, compliance, and privacy topics, and is lacking in a number of areas such as role-based training (RBT).
Moreover, while NINJIO supports multiple languages, it could improve its offering by having the product translated end-to-end in all the supported languages.
Enterprise integration could also be improved. Currently, the solution’s integration is limited to compatibility with different LMS formats. What is expected today, however, is that SA&T solutions will be able to integrate with a customer’s security stack, including security information and event management (SIEM), XDR, and identity and access management (IAM) solutions. NINJIO provides APIs that allow clients to create their own custom integrations into their security stack.
Strengths: NINJIO offers a real range of delivery methods and formats, which make it more likely to capture and hold employee attention and thereby affect both individual behavior and company culture.
Challenges: Although multiple languages are supported, they are not supported end-to-end. Enterprise integration is limited to compatibility with various LMS formats, not with a client’s own security stack.
OutThink
Founded in 2019 and headquartered in London, OutThink is a native SA&T company. Its SaaS human risk management platform helps organizations to automate the delivery of both mandatory and adaptive security awareness training, phishing simulations, and human risk intelligence based on employee role and level of risk. OutThink targets a variety of market segments in the enterprise business arena.
The OutThink platform is hosted in Azure, with multitenancy support, and is compliant with all necessary global security measures. The platform licensing model is per user, per year.
Two key offerings at different price points are available:
- Security Awareness Training & Phishing Simulation
- Human Risk Intelligence (applied psychology, behavioral insight, and predictive modeling)
The platform meets expectations on all key criteria. For some, it exceeds them. For example, the OutThink platform supports more than 21 languages, fully and end-to-end, and it is localized across both text and video assets. Furthermore, the solution allows users to overwrite a language with their own preferred one. This preference is recorded, and whenever the user comes back, the system will present everything in the chosen language.
A fundamental goal of any SA&T program is to change organizational culture and behavior, and OutThink clearly stands out from its competitors in this area. The solution has a feature that “understands” individual users, measures their attitudes (intention, engagement, feeling, psychographic segment) via behavioral telemetry as they undergo cybersecurity awareness training, then reports to admins and managers on why certain policies aren’t followed (for example, because they impact productivity or there is a problem with system compatibility). The feedback is used to foster secure behaviors to lower the risk of a breach.
Moreover, OutThink is already delivering targeted user training, which we have identified as an emerging technology. Training is personalized, and users are assigned training and awareness modules dynamically, based on their needs, knowledge, and job role.
However, more work needs to be done on OutThink’s training library, which is continuously enriched. The platform’s reporting capabilities, even if reporting APIs are available to feed into PowerBI, could be improved, as currently only a few built-in reports come with the product.
Strengths: OutThink has very strong language support, with more than 21 languages fully supported end to end. In addition, by measuring a variety of user attributes, such as intention and engagement, the solution learns to “understand” individual users and can use that knowledge to adapt awareness and training modules.
Challenges: Both the library and built-in reporting capabilities could be improved.
SANS Institute
The SANS Institute was founded in 1989 with a focus on security and cybersecurity training and certification. It’s a private company, headquartered in Maryland, US.
The SANS Institute has a long history in specialized training intended primarily for cybersecurity professionals. Interest in SA&T-type training for ordinary people, who make up the majority of employees in an organization, came later. That history gives the SANS Institute both advantages and disadvantages in terms of SA&T training. For example, its library constitutes a strength in view of the wealth and variety of subjects already and historically available. On the other hand, adapting that content to neophyte populations, who are not necessarily interested but must still be reached, is a challenge.
SANS’s long-term presence in the cybersecurity training market also gives it an advantage in terms of languages, with courses available and localized in about 30 different languages. And those courses are available in a variety of formats and delivery methods—including traditional instructor-led, web-based and self-paced, and interactive and gamified formats.
However, the SANS Institute platform has no ability to integrate with existing customer systems, such as SIEM, EDR, and IAM. Moreover, the SANS solution does not provide its own means of generating reports.
These two weaknesses, according to our analysis, come from the fact that SANS deploys on-premises. Its solution is delivered in the form of modules that the customer can integrate into its own LMS or as a SaaS through a third-party LMS called Litmos.
Strengths: The SANS Institute’s long history in training cybersecurity professionals provides it with a library filled with a wealth of training materials available in more than 30 languages. In addition, courses are available in a variety of traditional and modern formats.
Challenges: The SANS solution can’t be integrated with existing customer systems, and it does not provide its own means of generating reports.
SMARTFENSE
Founded in 2015 and headquartered in Spain, SMARTFENSE is a native SA&T company. The SMARTFENSE SA&T platform, which is deployed as a SaaS product, provides a cloud-based security simulation and training platform. It integrates all administrative aspects of the training and awareness program with correlation metrics to assess the effectiveness of the program. Products include phishing and ransomware simulation, interactive modules and newsletters-based training, and management metrics and registries for compliance.
The SMARTFENSE solution has an adequate cybersecurity training library that covers major SA&T topics as well as those relating to regulatory requirements. SMARTFENSE provides different means to deliver the content and capture employees’ attention, such as video games, videos, comics, and interactive modules. This large number of options enables reaching people of different ages and knowledge levels, encouraging the uniform development of an organization’s safe data culture.
The SMARTFENSE SA&T platform supports certain languages to different degrees, but its focus is on the Spanish language. It does not, however, offer end-to-end support in this language or others. The SMARTFENSE solution is weak in terms of integration with on-premises systems, especially the information security stack. Also, its lack of SCORM compatibility is a concern.
Finally, with regard to reporting, the platform has been criticized for presenting too much personal information about users, which is displayed in an Excel format. In addition, information could not be shared with other departments in the organization for studies and analysis without having previously anonymized that information, meaning extra manual effort for admins is required.
Strengths: The SMARTFENSE solution delivers its learning modules in an interactive model combining multiple formats, creating a flexible and fun experience for users.
Challenges: The platform has excellent support for Spanish but not so much for other languages. Its reporting capabilities are lacking, and it has been criticized for presenting too much personal information about users.
6. Analyst’s Take
The cybersecurity training and education market should not be confused with the SA&T market.
Cybersecurity training and education is primarily aimed at information security and cybersecurity professionals whose job is to build robust and secure systems and solutions protected against abuse and internal or external accidental or criminal attacks. This type of training generally results in a diploma or certification attesting to the expertise acquired.
SA&T, on the other hand, is for everyone. Anyone who is connected to, consumes, uses, or produces digital content is a potential candidate to receive SA&T, regardless of their profession and the context of their digital activity. Within the framework of an organization, this training is given as a preventive or reactive measure in response to cybersecurity incidents. In other words, SA&T is considered a way to mitigate the risk of human vulnerability to threats of cyberattacks.
The services and solution providers involved in SA&T come from a variety of backgrounds—the world of classic IT or information security training, or from companies established in the world of general or specialized IT services and products, or, finally, from new native SA&T companies. The SA&T providers selected for this report are a representative sample of these different categories.
InfoSec and SANS fall into the first category, classic IT and information security training. In the second category, we find Arctic Wolf and MetaCompliance. All of the remaining companies are native SA&T businesses. Several are new/recently founded: OutThink (2019), Hook Security (2018), CybSafe (2017), and NINJIO and SMARTFENSE (2015). Others have been on the market for a decade or more, such as KnowBe4 (2010).
For customers seeking an SA&T product, choosing among the particular SA&T players and determining where to invest and get a satisfying ROI can be confusing. Training generally is perceived by most employees as an overhead in their already busy day. The challenge is how to motivate them and, more importantly, capture their attention and impact their behavior post training in line with the organization’s security awareness maturation objectives.
The ideal product is one that not only has an extensive and optimal library in terms of the covered topics but also delivers this content to learners in such a way as to satisfy two contradictory requirements: deliver the training as quickly as possible and have the greatest impact in terms of retention and application of the delivered content.
To this end, most of the SA&T native companies are innovating in terms of SA&T delivery methods. They offer methods and formats that are based on theoretical human psychology and pedagogical concepts, with the aim of changing the behavior of individuals and the culture of the company regarding information security. However, some companies with less innovative delivery methods often have richer library content.
Native SA&T companies tend to all work on maturing their innovative products and expanding their libraries, while companies that have diversified into SA&T tend to work on their delivery methods.
Keep in mind that the overarching goal of these products is to capture and hold the learner’s attention. If that doesn’t happen, it’s just a waste of time and money. So, as you’re evaluating different solutions, you’ll want to make sure it ticks all your boxes in terms of topics offered, languages supported, integrations allowed, and any others you deem important. But once you’ve got your short list, take advantage of demos and free trials to make sure the content will resonate with your users.
7. About Jamal Bihya
Jamal Bihya is a creative technology leader with over 30 years of experience delivering innovative, critical, and operational solutions for organizations across all business sectors. He is a highly analytical and accomplished professional who has led the planning, design, and implementation of solutions in various industries. Jamal has a proven history of excellence propelling organizational success by establishing and executing strategic initiatives that optimize performance. He has demonstrated expertise in the selection, planning, and implementation of solutions for enterprise and commercial applications, in the development of key architectural components, in risk analysis, and in leading all phases of projects. He has been recognized for promoting effective governance and positive change that has improved operational efficiency, revenues, and cost savings. As a seasoned communicator and recognized unifier, Jamal turned strategic ideas into reality through close coordination with engineering teams, stakeholders, and senior executives.
Jamal has worked for IBM, Alcatel, Motorola, CGI (amongst other global technology players), and delivered projects in Africa, Asia, Europe, and North America.
Jamal is a pioneer in the agility of designing and delivering long-lasting and robust solutions. In his role as analyst, Jamal provides innovative technological and strategic solutions for organizations. He’s currently using his expertise to analyze processes and challenges related to cybersecurity and risk management with a particular interest in the concept of the Digital Identity.
8. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.
9. Copyright
© Knowingly, Inc. 2023 "GigaOm Radar for Security Awareness and Training" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.