The Human Risk Problem and One-Size-Fits-All Limitations
This HuFiCon 2024 session addresses the fundamental challenge that 68% of security breaches involve human error, with projections suggesting this will reach 90% in coming years. SoSafe product experts Tommy Courtney and Dr. Gundula Zerbes argue that traditional security awareness training oversimplifies human risk by treating all employees identically. They demonstrate how workforce diversity—spanning risk levels, departmental roles, work contexts, and individual skill levels—demands a more sophisticated approach. The session establishes that employees working from home face different vulnerabilities than office-based staff, while new hires require different training than tenured employees, yet most organizations still deploy uniform training programs that fail to account for these critical differences.
Personalized Learning Paths and Adaptive Simulations
The presentation introduces SoSafe's approach to individualized security training through role-based learning paths, context surveys, and behavior-based phishing simulations. Using a sales leader named Alex as a case study, the speakers demonstrate how the platform builds contextual understanding of each employee's role, travel patterns, and device usage to deliver relevant training content. The adaptive simulation engine adjusts phishing difficulty based on individual click rates—sending easier templates to users with low awareness and progressively harder scenarios as competency improves. This personalization extends to smishing simulations for mobile users and eliminates irrelevant training modules, addressing the common complaint that employees lack time for generic security content that doesn't apply to their actual work environment.
Real-Time Feedback with Sophie AI and Success Measurement
SoSafe's Sophie AI assistant provides immediate feedback when employees report suspicious emails, offering instant analysis of whether a message is malicious and explaining the specific threat indicators. This real-time learning moment occurs when employees are most engaged and receptive, while simultaneously reducing the manual triage burden on security teams who traditionally review every reported email. The session emphasizes measuring success through behavioral metrics like click rates rather than just training completion percentages, with recommendations to track department-level vulnerabilities and continuously train employees to maintain their threat recognition capabilities. The Q&A portion addresses measuring security culture maturity through attitude surveys and tracking the ratio of security events to actual incidents as indicators of program effectiveness.
