Selling Satisfaction: A Qualitative Analysis of Cybersecurity Awareness Vendors’ Promises

Security awareness and training (SAT) vendors operate in a growing multi-billion dollar market. They publish various marketing promises on their websites to their customers -- organizations of all sizes. This paper investigates how these promises align with customers' needs, how they relate to human-centered security challenges highlighted in prior research, and what narrative is presented regarding the role of employees (as SAT recipients). We also investigate the level of transparency in vendor promises, as to whether it constitutes an information asymmetry. We gathered search terms from n=30 awareness professionals to perform an automated Google search and scraping of SAT vendors' websites. We then performed a thematic analysis of 2,476 statements on 156 websites from 59 vendors. We found that the messaging from SAT vendors precisely targets customers' need for easy-to-implement and compliance-fulfilling SAT products; how SAT products are offered also means that some of the impacts of SAT go unmentioned and are transferred to the customer, such as user support. In this vendor-customer relationship, employees are portrayed as a source of weaknesses, needing an indefinite amount of training to be incorporated into the organization's protection. We conclude with suggestions for SAT vendors and regulators, notably toward an SAT ecosystem that directly links SAT solutions to usable security technologies within the organization environment.