Analyst(s):Joanna G. Huisman
People influence security far more than any technology or policy. Security leaders must invest in tools that increase security awareness and influence behavior to support critical security business objectives through computer-based training.
By 2019, the market for security awareness computer-based training (CBT) will evolve to incorporate integration with employee monitoring and endpoint detection and response (EDR) solutions as part of the standard, expected feature set.
People impact security outcomes, much more than any technology, policy or process. The market for security awareness computer-based training is driven by the recognition that, so long as technology-based security systems do not provide perfect protection, people play an undeniable role in an organization's overall security and risk posture. This role is defined by both inherent strengths and weaknesses: people's ability to learn and their capacity for error.
End-user-focused security education and training is a rapidly growing market. Demand is fueled by the needs of security and risk management leaders to help influence the security behaviors of people: employees, citizens and consumers.
Interactive computer-based training is a central component of a comprehensive security education and behavior management program. It is a mechanism for the delivery of a learning experience through computing devices, such as laptop computers, tablets, smartphones and Internet of Things (IoT) devices. The focus and structure of the content delivered by CBT vary, as do the duration of individual CBT modules and the type of computing endpoints supported. Understanding the diversity of people in the organization is as important to security and risk management leaders as an understanding of how security fits into an organization's larger goals.
Coupled with enterprise and employee adoption of mobile, IoT and cloud solutions, security needs require chief information security officers (CISOs) and employee communication leaders, such as human resource managers, to recognize the increasing impact of employee behavior on enterprise security and risk management efficacy.
Security awareness is a far-reaching concept; this research aims to limit the focus to the appreciable market space where education materials are offered. The term "security awareness" is commonly used to refer to a broad range of education, communication, and behavior management activities and learning outcomes. These activities and outcomes include:
Complying with regulations, procedures and policies
Supporting disciplinary actions
Increasing employees' knowledge and competency concerning threats, risks and security options
Changing and maintaining employees' security behavior and building a more security-aware culture
As often emphasized in Gartner research on security awareness, security decisions are closely linked to business objectives. In this research, Gartner uses "security education" to refer to the overarching set of activities and objectives that elevates security competencies and motivates employees to make better security decisions for themselves that are also appropriate for the organization. The organization's education process should prepare the staff for decisions that align with enterprise security performance objectives and expectations. Awareness of threats and mitigating actions is one possible function in a security education program. Direct behavioral conditioning — such as anti-phishing projects (see Note 1) — is another form of security education. Others include security communication and internal marketing campaigns involving posters, competitions and advertising-style messaging.
Solutions with different objectives for security education all share the ultimate goal of supporting enterprise requirements for the management of security risks. Security education can fulfill multiple objectives and requirements, including compliance with regulations that mandate security training; establishment of clear behavioral guidelines to support disciplinary processes, which are typically described in acceptable-use and/or security policies; improving employee knowledge of security and risk topics; and motivating desired security behaviors in the appropriate context.
Effective security education and communication are critical elements of a people-centric security strategy (see "Definition: People-Centric Security" ).
Relevancy and adaptation are key imperatives for security and risk management leaders. Most organizations have invested in some form of security awareness activities for decades. New technologies, new threats and new patterns of work compel organizations to seek more sophisticated behavioral support approaches. These incorporate a broad range of deployment models, increased frequency of learning opportunities, context-specific training content and structure, and metrics that support continued investment in awareness and security education.
As well, many security and risk management leaders prioritize the evidence of the effectiveness, or ROI, of the security awareness program. The result is in increasing demand for measurement of persistent learning outcomes. Some organizations offer preassessment, so that employees can "test out" of some courseware if they are able to demonstrate knowledge mastery, and to create a baseline by which future performance can be measured.
The market for CBT for security awareness is characterized by vendor portfolios that include ready-to-use, interactive software modules. These modules are available as internet-based services or on-premises deployments via client-managed learning management systems (LMSs) and vendor support for the Sharable Content Object Reference Model (SCORM) standard. The products included in this Magic Quadrant support multilingual and multicultural audiences — that is, they are available in English and at least one other language. They offer delivery via a variety of digital endpoints and assessments of trainee participation and completion. Vendors that support this market target end-user organizations of all sizes; however, enterprise clients commonly demand ancillary capabilities, such as customization of content, creation of new content, and advanced assessment and reporting capabilities. Security education and awareness CBT is generally licensed on a per-user, per-year pricing structure, with limited exceptions. Vendors that offer traditional CBT and anti-phishing solutions consistently have separate licensing and pricing for each type of solution, although package contracts are common. Pricing can be per CBT module or for a bundled number of modules, or it may include access to all content under a single license fee.
Security education CBT is suitable for organizations of all sizes and is of particular use to geographically distributed organizations that seek common security performance across all employee groups. The increasing diversity of CBT offerings requires prospective buyers to clarify the learning outcomes (see "Effective Security Awareness Starts With Defined Objectives" ) they seek prior to vendor engagement. They must also integrate security education CBT into a consistent program of security maturity improvement across the enterprise.
As products within this market mature, each vendor seeks to differentiate its products and services in a variety of ways. In recent years, many vendors sought to distinguish themselves by adding anti-phishing behavior management capabilities to their product sets. This has now become less of a differentiator, because the vast majority of vendors have now incorporated that functionality or have very well-established partnerships with anti-phishing behavior management vendors. As outlined below, content is now king.
Vendor differentiators in 2016 and 2017 include:
Variety of content formats, lengths and styles: Content is the most prominent differentiator now. Many clients and vendors recognize that their security training cannot be effective if approached with a "one size fits all" mentality. As such, they are developing content of different lengths, such as short-burst one- to two-minute microlearning lessons, and in different styles — for instance, ranging from extremely corporate-friendly and "safe" to more edgy styles using humor. This allows audiences to potentially receive the same information in multiple forms, thereby increasing the possibility for information absorption. Customization of content also addresses the needs of particular roles or audiences. For instance, training for call center employees should be different from the training aimed at executives (see "Segment Your Audience for Effective Security Awareness Communications" ).
Gamification: Some vendors include a focus on gamification. This is broader than just including games as learning tools. In this context, "gamification" includes the establishment of multidepartment leaderboards so that departments are ranked against each other in various ways. Some vendors that provide gamification as an option are also thinking differently about reward and recognition options for those users that exhibit heightened security behaviors.
Multilanguage support: Most long-standing vendors offer support for all major language groups. However, many vendors are now distinguishing themselves by offering out-of-the-box language support for 20 or more languages, and some offer more than 50 languages, including cultural variants/dialects of languages. However, Gartner recommends that organizations verify the accuracy of languages with their own in-country personnel before deploying pretranslated materials.
Large supplemental content libraries: In recognizing that security and risk management leaders are not full-time content writers, graphic designers or marketing experts, many security awareness CBT vendors offer large libraries of predesigned content to serve as additional/supplemental campaign artifacts or for ad hoc communications. These can include materials for newsletters, intranet postings, emails, security alerts, security information for families and so on.
Integration partnerships and possibilities: Some vendors are also exploring interesting partnerships with core security technology vendors, such as employee monitoring vendors, endpoint detection and response (EDR) vendors, endpoint protection platform (EPP) vendors, secure email gateway (SEG) vendors, data security (DS) vendors and others. The goal of such partnerships is to be able to leverage any real-time data generated or collected by core technologies, as well as log data to provide just-in-time learning based on observed unsecure behavior exhibited by an employee. Additionally, when unsecure or risky behavior is logged, the behavior could trigger autoenrollment into a contextually relevant training module. This is a natural evolution of the anti-phishing behavior management market. The aim is to create observed and individualized behavior-based training that is specifically relevant to the learner. This is an emerging area that Gartner will continue to track.
Competitive pricing: Price is currently the biggest disruptor in the market. As a result, most of the vendors in this space offer some free CBT or internal marketing materials. Vendor PhishMe introduced PhishMe Free, aimed at small and midsize businesses (SMBs), with 12 no-cost anti-phishing campaigns per year coupled with free CBT content; while KnowBe4 has published competitive prices on its website for up to 5,000 users. A number of vendors have adjusted pricing downward in an attempt to differentiate on price and to seek a large share of the SMB market that will not tolerate traditional pricing for products in this market.
The market has experienced roughly 54% growth from 2015 over 2016, and is currently projected to continue at a similar rate as 2017 draws to a close, with projected 2017 market size of approximately $370 million (see Note 2: Calculating Market Size for Security Awareness CBT). The vast majority of the vendors in this Magic Quadrant experienced year-over-year revenue growth.
The investment community continues to track this market closely. In 2016, Gartner received a number of inquiry calls from the investment community taking note of the continued market presence and the success of a number of security awareness CBT vendors.
CISOs and other purchasers of security awareness CBT products should resist basing their vendor evaluations solely on technical/functional requirements. Security awareness materials are the touchpoint with the security department for the rest of the organization. As such, ensuring that the tone, production value, and overall look and feel of the solution are a good match for your specific organization is fundamental to success. Comparisons are important when considering interfaces and user experience. If the solution you are evaluating does not have content and an interface that is as good as or better than anything else your company has released, then other vendors should be evaluated.
Source: Gartner (October 2017)
Global Learning Systems (GLS) offers robust services in the design, development, deployment and ongoing management of security training. The vendor offers a wide range of scalable, multilanguage solutions through its OnDemand Learning Portal, anchored on the theme of building a "human firewall." Topics include traditional security awareness information and regulatory compliance. GLS segments its offering into three distinctive, tiered bundles: essentials, standard and comprehensive. Each is able to address the current needs of your business, while providing a roadmap as your needs change and your program matures.
The vendor offers a solid assessment tool, SecureGenius, for ongoing evaluation of competency levels within your user base. GLS's inclusion of anti-phishing capabilities creates a comprehensive portfolio for security education and behavior management. GLS is committed to providing more variety of learning options by continuing to grow its gamified content, animated video product suite and internal marketing tools.
Content is currently offered in 26 languages.
The interactive training content and varied formats are designed to keep learners engaged, reinforce core messages and aid in knowledge retention. Optimization for content presentation on smartphones and tablets provides strong support for modern endpoint portfolios and digital workplaces.
GLS approaches each customer in a consultative manner through its tiered bundle offerings, allowing customers to leverage GLS content in the most effective manner given their current maturity.
GLS offers an out-of-the-box solution for security awareness managers needing an immediate multiyear roadmap with prestructured campaigns and supporting materials. GLS is also providing expanded internal marketing and communications tools designed to promote ongoing reinforcement.
U.S.-centric sales and service may inhibit uptake of the solution by clients outside of North America; however, GLS has a prioritized a strategy for continuing to grow its base of customers outside of North America in 2018. Its trajectory is strong, with international client revenue doubling from 2015 to 2016.
Customers needing a diverse set of stylistic variations (for instance, both serious and humorous) may find that GLS does not immediately provide that variety. GLS continues to focus on the variety and domains of their content to address this challenge.
This is InfoSec Institute's first year featured in the Magic Quadrant for Security Awareness CBT. For nearly 20 years, InfoSec Institute has been providing skills training and certifications for IT security professionals, and it has used that expertise to expand into the general security awareness space with its SecurityIQ program. SecurityIQ combines anti-phishing simulation, general security awareness CBT and role-based training into a 12-month best-practices program with a default curriculum. InfoSec Institute offers a wide variety of CBT security awareness topics for general awareness and role-based and security professionals, coupled with pre-engagement surveys, preassessments, quizzes and survey assessments.
While predominantly targeting and selling to the enterprise market, InfoSec Institute offers a variety of SecurityIQ packages and pricing options to meet the unique education needs of any size organization. Also, InfoSec Institute has a "meet or beat" pricing program that allows it to remain competitive among the more prominent vendors.
Content is currently offered in 14 languages.
InfoSec Institute offers a broad range of security awareness training, meeting most key enterprise needs. It provides general awareness and role-based and security awareness training.
InfoSec Institute provides high-touch customer service, and works with clients and prospects to adjust its content to ensure clients have the right curriculum for the right audience.
Although language support is good, InfoSec Institute's limited support for a larger set of languages restricts applicability to multicultural enterprises and audiences.
InfoSec Institute is a relatively new player in the general security awareness arena and does not currently enjoy the same amount of brand awareness as many of its competitors. As such, it may be prematurely dismissed from customer shortlists simply because it is not a known name.
InfoSec Institute needs to keep expanding the variety and flavors of its content. Customers needing a diverse set of stylistic variations (for instance, both serious and humorous) may find that InfoSec Institute does not immediately provide that variety.
Inspired eLearning provides a large portfolio of annually updated, role-based content that includes an anti-phishing solution. The vendor's training content is available in turnkey packages that offer adaptability as organizational needs change and mature: Starter, Fundamentals, and Advanced. These solution packages can be tailored to fit an organization's needs. The vendor offers a solid assessment tool, CyQ, providing customers the ability to identify and quantify high-risk areas within the organization. Inspired eLearning's new mobile app also allows users on Android and iOS devices the convenience of offline learning.
The CBT portfolio is augmented with newsletters, security alerts/reminders, and instructional design and customization services. Multilingual support across multiple media is available for culturally diverse employee populations.
Content is currently offered in more than 40 languages.
Inspired eLearning offers a robust library of continuously updated, diverse content, providing companies with up to nine years of nonrepeated training.
Highly innovative, corporate-friendly presentation styles combine video and immersive situation-based role-playing scenarios, allowing each user a comprehensive, unique experience.
Inspired eLearning's analytics platform provides organizations with useful metrics to measure training effectiveness. It is enhanced by its adaptive training capabilities, which present each user only with information he or she doesn't know, while giving users credit for information they do know.
Pricing continues to be on the high end when compared with other competitors (which may not be as feature-rich).
The lack of a physical presence outside the U.S. may be an obstacle for clients based outside of North America; however, multilanguage support is strong, and the company continues to build a more robust global strategy to expand its reach into multiple regions.
KnowBe4 is the fastest-growing vendor in this space in revenue and customer count, as compared to its position in 2016. KnowBe4 markets anti-phishing behavior management coupled with basic security awareness CBT offered in several packages. Its most popular offering level, Diamond, allows access to a large library of content as a result of its December 2016 acquisition of The Security Awareness Co. This vendor introduced a user-friendly Module Store, or ModStore, in 2017, creating a marketplace administrative experience.
KnowBe4's addition of the Automated Security Awareness Program (ASAP) provides an "Awareness Program in A Box" toolkit approach, offering both ease for the first-time security awareness buyer and a checkpoint for established programs. KnowBe4 has capabilities to improve employee resistance to different kinds of social engineering attacks through various forms of penetration tests.
Content is currently offered in 28 languages; however, not all content is available in all languages.
KnowBe4 continues to innovate new technology-based paths based on real-world social engineering methodologies to measure social engineering vulnerability within client organizations at the individual employee level.
KnowBe4's aggressive pricing structure is very attractive to companies looking to purchase security awareness and anti-phishing behavior management solutions on a limited budget. KnowBe4 is the first in the industry to provide pricing on its website for up to 5,000 users.
KnowBe4 is currently the fastest-growing company within this market and is growing its sales force to keep pace with demand.
KnowBe4's alignment with the Kevin Mitnick name can be polarizing to some potential buyers.
While KnowBe4's growth has been impressive, it needs to ensure that its frontline sales staff are viewed/positioned as subject matter experts in the area of security awareness, and can articulate the importance of a more security-aware culture within the wider context of a larger security-and-risk-based strategy.
MediaPro provides all the components needed to run a complete security awareness program. Its highly flexible Adaptive Awareness Framework platform includes program planning tools, customizable CBT content, reinforcement materials (such as animations, games, posters and articles), phishing simulations and knowledge assessments. These products can be licensed separately or as bundles. CBT content is provided via Course Builder as preconfigured modules and as libraries of flexible microlearning topics. These can be rapidly assembled into various unique instructional programs to meet the unique needs of different types of learners within an organization. Enterprise customers appreciate the ease and speed of customization across all types of content.
MediaPro regularly adds to and updates content to align with risks and use cases. Recent updates include risk management, privacy, secure application development, the EU General Data Protection Regulation (GDPR) and corporate compliance. Content is interactive, with a nearly continuous assessment of skills and knowledge acquisition. MediaPro's phishing and knowledge assessment services are integrated with its CBT and LMS, enabling dynamic delivery of CBT topics based on user behavior and assessment responses.
Content is currently offered in 35 languages.
MediaPro offers one of the most flexible integrated content solutions within this market. This allows clients to simulate course customization and creation capabilities in an easy, drag-and-drop environment.
MediaPro has a large library of reinforcement materials (videos, posters, articles and games) that can be easily downloaded and leveraged in ad hoc communications or as strategic components in planned campaigns.
MediaPro provides a self-service Planning Tool that allows clients to build year-round awareness programs based on a variety of prebuilt program templates.
A high level of interactivity in CBT builds trainee competence and skills retention.
While one of MediaPro's main strengths is the flexibility of its course builder, some clients may not have the sophistication or technical expertise to build effective modules.
MediaPro brand name is not as well-known as some of its competitors, and thus may be prematurely dismissed from customer shortlists.
PhishLine is an anti-phishing behavior management and security awareness CBT provider with a particular focus on the data science of phishing measurement. Along with PhishLine's extensive library of CBT content, it currently partners with six security providers to offer clients CBT content through its vast Content Center Marketplace, which is able to meet the needs of many learners and styles. PhishLine has focused on updating and modernizing its brand while sharpening the look and feel of its content, offering a more engaging and animated style, including a new gamified approach.
Extensive analytics enable more complex behavioral assessment and targeted education than is common with competitive anti-phishing solutions. Assessment capabilities include a variety of social engineering and phishing simulations that allow users to apply and demonstrate acquired knowledge.
Content is currently offered in 15 languages.
Continual analysis of employee performance enables highly individualized training curricula for each employee that is based on the actual security behavior of that employee.
PhishLine offers a data-scientist-level view into the facets of how to create a simulated phish, and how to measure and report on the data gathered and available through simulated phishing tests and CBT assessments.
PhishLine's Content Center Marketplace provides a simple platform for customers to pick and choose from a large variety of CBT modules and associated content from multiple vendors, which is then aligned to specific PhishLine-created social engineering testing.
Some clients may have concerns about the amount of data that can collected and analyzed. Customers with data collection and privacy concerns can work with PhishLine to help ensure that they are taking advantage of the advanced configuration options that address their individual regulatory or other security/privacy needs.
Although language support is good, PhishLine does not currently support as many languages as some other leading/global vendors. However, for clients leveraging PhishLine's Content Center Marketplace, many of the modules are offered in over 30 languages.
PhishMe has a great deal of brand recognition and dominance in the security awareness market. PhishMe's focus on phishing behavior management and its large market base enable it to benchmark client performance against industry performance. This capability is supported with flexible analysis and reporting capabilities. In addition to anti-phishing, PhishMe also offers a large library of interactive content that incorporates games, video and a variety of learning artifacts. The PhishMe brand is well-known throughout the security industry, and the success of its marketing program and technical innovations have established it as the company to beat when it comes to anti-phishing solutions.
PhishMe recently introduced PhishMe Free, a real industry game changer, providing a no-cost phishing and CBT solution to small businesses with fewer than 500 employees.
Content is currently offered in 25 standard languages. Additional localized content is available in 54 languages.
Flexible analysis and reporting enable training optimization and phishing vulnerability assessment.
While PhishMe has, in many ways, become the most recognized vendor in this market, it continues aggressive reinvestment of revenue into product improvement (PhishMe Free), new capabilities and services.
PhishMe's PhishMe Reporter and PhishMe Triage products allow users to report suspected phishing emails via a "report" button in their email client; incident response teams can use these features for significant automated analysis, risk ranking and orchestration of phishing response.
While PhishMe focuses on phishing and provides a number of security awareness and training artifacts and a free CBT package, much of the CBT package is not as robust and innovative as many of the market leaders.
An increasing number of vendors provide anti-phishing solutions that could erode PhishMe's value proposition for its anti-phishing suite and challenge its traditionally higher price point.
SANS Institute continues to be a major force in the training market for IT security professionals, offering well-regarded certification and degree programs, such as the Global Information Assurance Certification (GIAC). SANS Security Awareness CBT portfolio is extensive, offering 48 bite-sized video modules, and focuses on general security awareness, specific vertical industries, regulatory environments and roles, including senior leadership.
The offering also includes an anti-phishing behavior management functionality for social engineering testing. SANS Institute offers a flexible solution that can supply security awareness "out of the box" for organizations just beginning their programs. It can equally support the individual and varied learner needs associated with intermediate-to-mature security awareness programs.
Content is currently offered with full voice-overs in 24 languages.
SANS Institute boasts one of the most robust SaaS LMS platforms offered by a security awareness vendor.
A deep knowledge of IT security management combined with adult learning psychology and design principles is reflected in the content and delivery of materials.
The large CBT portfolio covers the topics and roles that Gartner clients commonly request, using formats such as videos, games and quizzes.
Many organizations recognize the SANS brand as offering very technical training and may have concerns that its end-user training would be over the heads of less-technology-oriented staff. While this is not the case with the Security Awareness product, it is still a perception barrier that the vendor faces.
SANS' fundamental approach to CBT involves video-based modules. Organizations seeking a wide variety of CBT options that are not delivered via video may decide to complement SANS video CBT with other training content.
While SANS offers 24 languages for its online training, large global companies may still find that it does not yet support one or more of their requested languages.
Security Innovation provides a diverse set of application security and IT security training content, including traditional CBT and videos. Its substantial library of supplemental materials, Security Awareness 365, includes tip sheets, posters, lunch-and-learn activities, customer care assets, securing-your-home information, and immersive and scenario-based learning modules, all offered in a variety of styles with full animation and narratives in local languages. Security Innovation also offers customization at the course and program levels.
Security Innovation offers consulting services that clients often bundle. Security Innovation's inventive and interactive Hackathons are immersive and situation-based learning experiences, allowing staff to think like hackers while competing in a gamified, real-world environment.
Content is currently offered in 20 languages.
Security Innovation's use of diverse media, mixed duration, interactivity and changing visuals in modules enhances the uptake and retention of new skills.
The vendor's holistic, life cycle approach to training management promotes close alignment with enterprise risks and performance gaps.
Security Innovation doubled its language support from 2016, making its program more applicable to multicultural enterprises and audiences.
When compared with other market leaders, the range of topics covered by Security Innovation may become a limitation as the program grows in maturity and seeks to support varied and deeper learning content.
Security Innovation does not currently enjoy the same amount of brand awareness as many of its competitors. As such, it may be prematurely dismissed from customer shortlists simply because it is not a known name.
Security Mentor's approach to learning is self-proclaimed as "Brief. Frequent. Focused." It offers short-duration CBT (approximately 10 minutes per module) structured for frequent delivery to each employee. CBT modules include games and opportunities to practice new skills, with remediation techniques provided (when appropriate). All content is interactive and highly engaging, with a continually growing and refreshed curriculum composed of basic, more advanced and role-based content in formats that are easy to understand and navigate. Security Mentor leads in the area of gamified content, offering friendly competition within teams or across an enterprise, and recognizing users for their security knowledge and behavior. Security Mentor has also expanded its marketing awareness materials by adding a variety of posters and has recently introduced the anti-phishing simulation tool PhishDefense.
Security Mentor's LMS functionality is robust and intuitive. Security Mentor offers clients the ability to upload their organizational policies to its system for compliance attestation and tracking. Consulting services are available to assist in customization of educational programs and optimization of client learning outcomes.
Content is currently offered in 13 languages.
The short duration of the CBT modules is attractive for clients that are seeking to limit the productivity impact of training participation while maintaining a high-impact curriculum.
Lessons are interactive, graphical and instructionally designed for trainee engagement and learning.
Security Mentor is in a growth phase, focusing on rapid expansion of global partnerships, as well as refinement of its curriculum and platform.
While language support is good, Security Mentor's language support is not yet as expansive as many competitors.
Security Mentor does not currently enjoy the same amount of brand awareness as many of its competitors. As such, it may be prematurely dismissed from customer shortlists simply because it is not a known name.
Terranova WW provides a large library of CBT modules and supporting materials primarily focused on general security, privacy and compliance awareness supporting the "knowledge/support/motivation" behavior change theory. Interactive content is supported by posters, newsletters and short videos, as well as by assessment and customization services. Terranova WW also provides anti-phishing simulation platform and training. Preassessments and postassessments are available, and employee skills retention is tested in each CBT module.
Terranova WW provides strong support prior to implementation to enable clients to select appropriate content for different user populations, and to develop effective communication and deployment strategies. Terranova delivers its content in the most languages of any vendor in this research, meeting multilingual and multicultural needs of most any global enterprise.
Content is currently offered in 39 languages.
Terranova WW supports each customer in a very consultative manner, ensuring that proper customization of content is achieved and that the learning paths are clearly defined and well-suited to the organization's selected roles and groups of learners.
Lessons are highly interactive, graphic-rich and instructionally designed for trainee engagement and learning.
Ongoing assessment of trainees aids in the fine-tuning of curricula to meet security performance objectives.
While Terranova does possess a large library of content and resources, the content's look and feel may not resonate with some organizations. However, Terranova offers customization services to match customer needs.
Terranova does not currently enjoy the same amount of brand awareness as many of its competitors. As such, it may be prematurely dismissed from customer shortlists simply because it is not a known name.
Wombat Security Technologies continues to be a leading provider of innovative security education and behavior management CBT, and features on nearly all customer shortlists. In addition to a portfolio of CBT on traditional security awareness topics, Wombat provides an effective anti-phishing solution that also supports simulated attacks through USB devices and SMS. Wombat provides extensive services in training needs analysis, content development, CBT customization and security essentials training for executives. Wombat provides guidance on curriculum scheduling based on continuous assessment, refinement, targeted education and behavioral metrics to optimize retention of learned behaviors.
Wombat introduced a series of clever awareness video campaigns as a companion to their current CBT offering in order to show the "lighter side" of security awareness. Wombat has been focused on further expansion of its global footprint, with more penetration into Europe and Asia. It has also taken aim at the SMB market, packaging and pricing its solutions to deliver enterpriselike service at a small-business price.
Content is currently offered in 31 languages.
Continuing innovation in support of measurable security performance also supports the clients' need to enhance risk mitigation through the management of user behavior.
Wombat is very well-suited to all sizes of enterprises seeking to deploy broad-base security awareness and anti-phishing training, with a consistent corporate look and feel that utilizes adult learning principles applicable across a variety of learning styles.
Wombat's approach to "teachable moment" learning engages participants in the learning process through a variety of methods that encourage application of knowledge in scenario-based modules.
Organizations seeking a wide variety of CBT presentational formats and styles may find Wombat Security Technologies' content limiting.
Wombat's pricing remains relatively high compared with many competitors, depending upon the solution being purchased.
We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor's appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.
Optiv (formerly Optiv Security)
The Security Awareness Co.
Symantec (Blackfin Security)
Gartner's view of the market emphasizes transformational technologies or approaches delivering on the future needs of end users. It is not focused only on the market as it is today.
Gartner defines "security awareness CBT" as the delivery of a standardized set of interactive security education and/or security behavior management content to a trainee/user via an endpoint computing device (such as a laptop, desktop or tablet). Training content focuses on general users of IT, not security or IT professionals. Although customization of this content may be provided as a service, the essential element is a catalog of core training content.
The security education CBT definition does not include solutions delivered through vendor personnel on-site (such as live training sessions), content delivered to trainees through noncomputing mechanisms (such as printed manuals or newsletters), nor services that produce novel and unique CBT solutions for a single client.
The inclusion criteria represent the specific attributes that Gartner believes necessary for inclusion in this research. To qualify for inclusion in the 2017 "Magic Quadrant for Security Awareness Computer-Based Training," vendors must:
Compete in the market for security education CBT, as defined above.
Demonstrate a competitive presence in end-user organizations.
Demonstrate ability to provide training content in English and at least one other language.
Provide a diverse set of security content/curriculum.
Provide trainee performance assessments against defined learning outcomes.
Offer through a vendor-owned technology or through a partnership an automated social engineering simulation tool — such as anti-phishing behavior management — for measuring current behavior and promoting behavior change.
Demonstrate security education CBT revenue of over $3 million and a security education CBT customer count of over 150 client organizations.
Be the original developer of the solution. Although we examine strategic partnerships as part of our analysis, we do not include resellers in our research.
Product or Service: This includes service and customer satisfaction in deployments of the security education CBT. Execution considers factors involved in the selling, deployment and support of the education solution. Strong execution indicates that a company has clearly demonstrated that its solution has been successfully deployed and maintained, and that the company wins a large percentage of engagements in competition with other vendors. Companies that execute strongly generate persistent and pervasive brand awareness and loyalty among Gartner clients, and they are mentioned regularly in inquiries with Gartner analysts. Execution is not strongly correlated to company size or market share, although these factors can influence a company's ability to execute over time. Although sales success is a factor in the Ability to Execute, continuing innovation and quality of the solution portfolio have greater impact. Key features are weighted heavily. These include multiple modules of software, content that covers topics commonly raised by Gartner clients, customization of content, interactive learning experiences, content translations and support for multiple types of endpoints. Support is determined by quality and breadth.
Overall Viability: This includes overall financial health, prospects for continuing operations, company history and demonstrated commitment to the security education market. All vendors were asked to disclose comparable market data, such as revenue, quantity of customers, quantity of trainees and competitive wins.
Sales Execution/Pricing: Gartner evaluates the company's pricing, deal size and installed base. This analysis includes the company's sales and distribution operations and relationships. Pricing is compared in terms of typical deployment models. The robustness of sales channels is a strong factor.
Market Responsiveness/Record: Gartner's analysis focuses on the company's ability to support changing client requirements for security performance management.
Marketing Execution: This criterion includes competitive visibility in client RFPs and competitive visibility with other vendors. The prominence of solution innovations in the market is a key factor, as are pricing innovations. Support for multiple endpoint platforms is heavily weighted, as is the depth of support for customization of content and structure of the solution.
Customer Experience: Given the culture-specific and subjective nature of training effectiveness, this factor is heavily weighted in our analysis. Customer satisfaction throughout the client-vendor relationship is examined.
Operations: The experience and track record of company management in training design/development and the security marketplace are critical factors. Effective training solutions can be developed and marketed by small organizations. As a result, this factor focuses on the quality of staffing, rather than the quantity of personnel.
Product or Service
Source: Gartner (October 2017)
Market Understanding and Marketing Strategy: Gartner assesses these factors via interactions with vendors, feedback from Gartner customers, and direct interactions with vendor solutions and materials. We evaluate the vendor's proven ability to anticipate market changes and lead customers to optimal performance. We also examine the company's understanding of and commitment to the security education market.
Sales Strategy: This includes customer relationship management before purchase as well as during and after deployment of the solution. Companies need to demonstrate an understanding of the various decision makers and influencers within client organizations for security education solutions. Channel and third-party ecosystem strategies also apply.
Offering (Product) Strategy: This factor focuses on a vendor's solution roadmap, current solution features, variety and volume of content types, and solution performance. Integration of the CBT solution with other systems and capabilities — for example, LMS integration and LMS as a service — is also examined. Strong emphasis is placed on vendor support for reporting mechanisms that provide credible evidence of trainee progress, as well as improvement of security performance in the context of defined learning outcomes.
Business Model: This includes R&D spending as well as the vendor's approach to developing new capabilities and features.
Vertical/Industry Strategy: While this Magic Quadrant is primarily focused on general end-user security education, training for security and data handling requirements aligned with specific verticals/industries is taken into account.
Innovation: This factor is heavily weighted and focuses on innovation in the core solution and supporting services and solutions.
Geographic Strategy: This Magic Quadrant is global in scope, but many vendors demonstrate the strongest performance in their home geographies — for example, U.S. vendors perform best in North America. As a result, our analysis closely examines vendors' ability to support geographic markets beyond their home territories.
Offering (Product) Strategy
Source: Gartner (October 2017)
The security education CBT Leaders quadrant is composed of vendors that: (1) provide solutions that are a good match to market requirements; (2) have been the most successful in building a customer base and revenue stream within the CBT market; and (3) have relatively high viability (due to CBT revenue). In addition to providing CBT that is a good match to customer requirements, Leaders also show evidence of superior vision and execution for anticipated requirements. They typically have relatively high market share and/or strong revenue growth, and provide a range of CBT capabilities that target education and behavior management. Leaders have a demonstrable track record of content revision and expansion to meet market requirements. They have demonstrated positive customer feedback for effective CBT and related services, as well as focusing intently on anticipating market needs and evolving accordingly.
The Challengers quadrant is composed of vendors that have a sustainable customer base and revenue, proven market relevance and adaptability, and solutions that meet the majority of market requirements. Vendors in this quadrant typically have strong execution capabilities, as evidenced by financial resources, significant sales, customer counts and brand presence garnered from the company as a whole or from other factors. However, Challengers have not demonstrated as rich a capability or track record for CBT offerings as vendors in the Leaders quadrant.
The Visionaries quadrant is composed of vendors providing CBT solutions that are good functional matches to general security education market requirements; however, these vendors have a lower Ability to Execute score than the Leaders. This is typically due to a smaller presence in the market than the Leaders, as measured by installed base, revenue size or growth, a smaller overall company size, or general viability. Visionaries may also be vendors that specifically choose to focus with excellence on an innovative subset of market needs.
The Niche Players quadrant is composed primarily of smaller vendors providing security education CBT that matches specific security education use cases, which are a subset of CBT market requirements. Niche Players focus on a particular segment of the client base, or a more limited product set. An ability to outperform or innovate may be affected by this narrow focus. Vendors in this quadrant may have a small installed base, or they may be limited, according to Gartner's criteria, by a number of factors. These factors may include limited investments or capabilities, a geographically limited footprint, or other inhibitors to providing a broader set of capabilities to enterprises now and during the 12-month planning horizon. Inclusion in this quadrant does not reflect negatively on the vendor's value in the more narrowly focused service spectrum.
The security education CBT market is a rapidly growing market focused around delivery of content for end-user security awareness. The market is currently evolving as it seeks to provide demonstrable benefit to organizations rather than just being a regulatory compliance "check box." Innovations are currently focused on:
Behavioral intervention (which began with anti-phishing behavior management toolsets and is evolving into other integrations with more traditional security controls)
Wide, diverse content sets, styles and supporting materials to support multiple learner contexts
Robust LMS platforms to enable content assignment as well as reporting of metrics
Support for large sets of languages to enable global delivery of content
Intersection with threat intelligence, endpoint detection and response (EDR), and incident response to enable tailored, context-relevant training/testing content, as well as the ability to quickly analyze reported/suspected phishing emails and determine their risk.
The structure and content of solutions remain dynamic in response to changing threats and employee behaviors. Continual changes in the devices that workers use and the locations where work is conducted are forcing organizations to influence employees' security behavior and improve their security performance in workplaces. This ongoing change in the digital workplace erodes the efficacy of static education programs, driving enterprises to seek regular updates and improvements to the structure and focus of security education. Demand for innovative solutions that drive validated improvement in security performance is increasing, as is the demand for robust training performance metrics and reporting.
Market growth in security education is driven by changes in threats to the enterprise (such as continuing expansion of cybersecurity regulations targeting employee actions, threats that target employees and their devices and utilization of technology that is beyond the control of the IT security organization), as well as increasing recognition that internal security departments are rarely able to produce effective security education or behavior management programs. The combination of increased risks and a lack of internal expertise pushes many CISOs to seek solutions in the market that are capable of producing measurable improvements in employee security behavior. In order to support security objectives, employees need skills, knowledge and motivation. Security education focuses on developing secure employees who, in turn, enable security performance and regulatory compliance.
The challenge of capturing market numbers for security education is exacerbated by the extreme diversity of activities, products and services that are present in the market. For example, security education programs can include security policy communication systems, live instruction (on-premises), posters/handbills, games/contests, manuals and videos. This Magic Quadrant focuses on the portion of the overall security education market that is most often discussed by Gartner clients: security education delivered to employees via digital endpoints. Within that context, market growth is extremely robust.
The market has experienced greater than 54% growth from 2015 through 2016 and is currently projected to continue at a similar rate as 2017 draws to a close, with projected 2017 market size of approximately $370 million (see Note 2: Calculating Market Size for Security Awareness CBT). The vast majority of the vendors in this Magic Quadrant experienced year-over-year revenue growth.
Growth projections for the next several years remain strong, with a Gartner forecast compound annual growth rate (CAGR) of 45% from 2016 to 2021, and revenue reaching over $1.5 billion in 2021.
Given that most organizations of any size need to provide some level of security training for their employees due to regulatory requirements and other objectives, solution vendors can continue mining a very large anticipated total addressable market (approximately $1.5 billion depending on solution price tolerances). As such, Gartner anticipates sustained year-over-year growth in the 50% to 60% range through at least 2020.
Anti-phishing behavior management continues to be a popular segment of the security awareness CBT market, with vendors seeking to innovate into new areas of behavior management, measurement and influence. This popularity is due to both the demonstrable and evolving threat of phishing — phishing attacks have been the initial attack vector in multiple, large, high-profile breaches — and the ability of anti-phishing solutions to demonstrate behavior improvement in targeted employees. Nearly all vendors now offer some form of anti-phishing behavior management through in-house development of a solution, licensing of technology from another vendor or partnership with an anti-phishing solution provider. While anti-phishing behavior management is still a driver for this market, vendors with such solutions are no longer differentiated by having the solution. It is now the market norm and expectation.
The use of simulated attacks that trigger employee behavior and remediation training — all of which can be measured and analyzed over time — has increased client expectations for demonstrable ROI for security education investments. Vendors have responded by incorporating more curriculum management and trainee assessment capabilities into their offerings, and by producing software modules that are of shorter duration (that is, the current average duration is approximately 11 minutes) than traditional CBT approaches, which last 45 minutes and longer. An increasing number of vendors are introducing even shorter videos (one to three minutes in duration), and enterprise clients are reporting positive results from such short-duration, but high-frequency, media packages. Clients that treat security education as an inherently unproductive investment are a diminishing group, and the overall market is increasingly focused on security education that is proven to be effective and efficient at driving enterprise security performance.
Privacy regulations and other governmental controls in various jurisdictions may have an impact on the viability of vendor solutions that require transportation and out-of-country storage of employee identity and performance information related to training activities. Enterprises should seek legal counsel concerning the impact of such regulations on the use of vendor infrastructure located outside of the enterprise's legal jurisdiction. If transborder exfiltration of employee data is prohibited, clients should consider the use of on-premises or in-country LMS, CBT and anti-phishing solutions.
Gartner anticipates continued growth in the security education CBT market through 2020. Increasing numbers of end-user organizations will license CBT from regional and global vendors. Vendors will expand their support for diverse endpoints (for example, mobile and IoT devices) and presentation styles, including increased interactivity of content. Barriers to market entry are low, and Gartner expects to see a steady increase in new vendors competing in the security education CBT arena. Executive ROI expectations will drive security teams to invest in mechanisms that measure, record, analyze and report on employee performance in the context of security. Vendors are moving to support enterprises' appetite for metrics by analyzing user behavior via user and entity behavior analytics (UEBA) solutions and providing just-in-time remediation training based on actual employee behavior. The ability to deliver the right training experience to the people who need it, when they need it, will transform the security awareness market and drastically improve enterprise security outcomes that are dependent on employee behavior.
The CBT market is dynamic. Gartner is continually being briefed by new vendors seeking to meet the market demand for high-quality and innovative CBT content, delivery mechanisms, or adjacent functionality. While not included in this year's Magic Quadrant, we believe that the vendors/products listed below are worthy of note and may support one or more use cases well:
The Security Awareness Company
A number of vendors (for example, KnowBe4, PhishLine, PhishMe and Wombat Security Technologies) provide solutions that focus on reducing the frequency with which employees click on URLs in phishing emails. Although each vendor provides a unique solution, the basic approach is the same:
Phishing emails are sent to employees.
Employees who click on the URLs therein are immediately pushed into a CBT session.
Click rates and refusals to click on URLs are recorded for longitudinal trend analysis.
This approach has proved to be effective at diminishing the success of phishing attacks. By tightly coupling the clicking on URLs with participating in CBT, these solutions are able to provide valid evidence of a causal correlation between CBT participation and behavior change. In turn, this provides support for claims of positive ROI from investment in such solutions.
The revenue projections for vendors rated in this Magic Quadrant account for approximately $172 million for 2016. The $370 million anticipated revenue for 2017 is calculated by looking at the combined revenue for the vendors tracked as part of the Magic Quadrant process. We then add an additional 40% to account for other vendors that are not tracked/rated as part of this process, that are small/regional vendors, or that are unknown to us.
Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.