"Relax the mandatory frequency for Cybersecurity training": End Of Civilization Or Only A Bad Idea?

There it is: in the very near future, the US Department of War (the department known previously as the US Department of Defense) will "Relax the mandatory frequency for Cybersecurity training."

[deep breath]

In the world of science, we test Hypothesis A versus the "null hypothesis" to determine empirically whether A and null differ to a degree that is more than we expect by chance alone, a.k.a. are A and null statistically significantly different. We have reported on at least two recent occasions that cybersecurity training doesn't work. That means that Hypothesis A, standard cybersecurity training will have a significant impact on individual behavior, is not noticeably different from the null hypothesis that there is no meaningful impact on individual behavior due to cybersecurity training.

So, you'd think we'd be thrilled by the decision by DoW to "Relax the mandatory frequency for Cybersecurity training."

[deep breath]

No.

Quoting myself at length:

"It's not that cybersecurity training should not take place. The point is that it's not going to stop some people, and that could be 12% of your work force, from engaging in bad cybersecurity behavior. If you think that a 2 percentage point reduction in potential cybersecurity incidents is meaningful ROI, well, more power to you."

A 2-percentage point reduction due to training in a medical center that employs maybe 1,000 people (see Ho et al, 2025) is trivial. Do the math: if 12% of your 1000-person workforce clicks dumbly on phishing links that's 1000 times .12 = 120 people, and reducing that number to 100 people (1000 times .10) via training is not statistically significant.

A 2-percentage point reduction in the DoW, a widely distributed always-on organization that employees millions of people, is not trivial because it reduces the number of dumb clicks from (millions times .12) to (millions times .10). That's point 1.

The DoW has annual cybersecurity training. "Relaxing the mandatory frequency" means they train on what cadence? Every 5 years? Suppose the cyberthreat surfaces change in year 3 -- what then? Point 2.

Point 3. Let's think critically about this. Assuming here that DoW understands that some warfare will shift to be cyberwarfare, some new cadre will have to engage in cyberdefense as well as cyberwarfare. A "new cadre" means hundreds of people hired to protect systems v. a fixed-cost training system. There's maybe not much juice on that squeeze.

Final point. Doing cybersecurity in any organization is hard. Your adversaries are upping their game. The DoW has a lot of adversaries and some of them are good at this sort of warfare. The DoW is not out to be less cyber-secure because, unclassified shocker alert, the memo does not say DoW wants less cybersecurity; it says we need personnel being lethal instead of being trained. Part of being lethal is being capable of dominating your adversary. Making your personnel less able to dominate your adversary means they are less lethal.

When we test Hypothesis A versus the null hypothesis, we only know about the treatment, A. We do not consider whether treatments B or C would work. 

Here is some free consulting advice to DoW: Let's say that "typical" cybersecurity training "doesn't work." That's Hypothesis A v. null hypothesis. Think more carefully about other cybersecurity interventions -- call them Hypothesis B and Hypothesis C -- that could be used by DoW instead of A. Maybe B is training on "adversarial approaches to cyberwarfare" and C is training on "how to identify and defeat a cyber-attack." 

If the cadence of training is going to get "relaxed" please use better, more lethal training!

Bet you an MRE that they would work and bet you another MRE they work better than standard cybersecurity training.

[exhale]

Ask us how to create cybersecurity awareness training with the right expectations.