Wombat Security Technologies’ Education Portfolio

Wombat helps organisations assess, train, and gather business intelligence related to end-user cybersecurity knowledge and behaviours.

[maybe-frm-field-value field_id=4685 user_id=current entry=7732 equals=”Anonymous during judging stage”]

Information Security award entry for the “[4721]” category

[/maybe-frm-field-value] [maybe-frm-field-value field_id=4685 user_id=current entry=7732 not_equal=”Anonymous during judging stage”]

Information Security award entry from Wombat Security Technologies for the “[4721]” category


Wombat helps organisations assess, train, and gather business intelligence and data related to end-user cybersecurity knowledge and behaviours. Its complete suite of security awareness and education solutions include 25+ interactive training modules on topics ranging from phishing and ransomware to physical and mobile security. Other tools include simulated phishing tests; a one-click email reporting button for employees; question-based knowledge assessments; and awareness videos and posters. Wombat’s security education tools have also been integrated with endpoint security technologies like Carbon Black Enterprise Response, so that when a risky behaviour is detected, users can receive “just-in-time” training in response to that behaviour. This means that, for example, when a user has clicked on a suspicious link online, Carbon Black will detect this and deploy a piece of Wombat training relevant to the users action.

Wombat was born from research at the world-renowned Carnegie Mellon University (CMU). The company was founded in June 2008 by Dr. Norman Sadeh, Dr. Jason Hong, and Dr. Lorrie Cranor — all faculty members at the CMU School of Computer Science.

While at CMU, the organisation’s co-founders led the largest national research project on combating phishing attacks. Their goal was to address the human element in cybersecurity and develop more effective anti-phishing filtering solutions. This project, funded by the US National Science Foundation and the US Department of Defense, yielded a suite of cybersecurity software training and filtering technologies. These technologies provided the foundation for Wombat’s Security Education Platform and its unique Continuous Training Methodology.

Wombat's Security Education Platform

Today, Wombat is helping Fortune 1000 and Global 2000 customers in industry segments such as finance, technology, banking, higher education, retail, and consumer packaged goods to strengthen their cybersecurity defences. Since 2014, its solutions have been named a leader four years in a row by Gartner in their Magic Quadrant for Security Awareness Computer-Based Training vendors.

Its Security Education Platform has been designed to include a comprehensive and effective set of tools. These tools, combined with its pioneering Learning Science Principles and Continuous Training Methodology, get results for its customers. For example, customers have seen up to a 90% reduction in successful external phishing attacks and malware infections.

Wombat's Reporting Capabilities

Wombat is scientific and methodological in its approach, reflecting its roots in CMU. For example, Wombat utilises Learning Science Principles because they were proven to be effective through research performed by the University. These Principles include: offering users conceptual and procedural knowledge (the big picture as well as specific actions); serving knowledge in bite-sized chunks; reinforcing lessons; training in context; and giving immediate feedback.

Furthermore, Wombat applies its Continuous Training Methodology to its toolset; this Methodology is based around four pillars: assess, educate, reinforce and measure. Wombat’s founders identified that presentations, videos, and simple slides aren’t effective tools when it comes to cybersecurity knowledge retention for end-users. While these formats are appropriate methods for informing users, they aren’t engaging enough to truly educate. The Methodology follows a cyclical approach that both informs users about best practices and teaches users how to employ these practices when they face security threats. Wombat’s customers see a marked reduction in susceptibility in as few as two months, and its continuous training approach allows organisations to capitalise and build on this initial rise in awareness, effectively changing behaviours over time.

Wombat's Training Videos

Wombat likes to see its customers succeed both in terms of their security awareness campaigns and also more generally in the public sphere. It nominated Lesley Marjoribanks, Customer & Colleague Security Awareness Manager at the Royal Bank of Scotland for Security Champion of the Year at the Women in IT awards this year and was incredibly pleased to see her shortlisted. It is also nominating John Hield, DPO and Information Security & Compliance Manager at Veolia UK & Ireland for the Influential Infosecurity Leader at these awards, as over the past few years it has seen him take strides both in terms of security awareness and training internally within his organisation, but has also seen him step up as DPO (Data Protection Officer) for Veolia UK & Ireland.

Wombat is also known for its annual research which utilises data from millions of simulated phishing attacks sent through its Security Education Platform. It also surveys infosecurity professionals and technology users from the US, UK and Germany to gather its insights. Its most recent study, State of the Phish™ Report 2018 presented data on the growth of phishing attacks and how these attacks are impacting organisations; on which factors influence higher click-rates on phishing emails, including verticals; on the differences in susceptibility to cybercrime between the US and UK; and end-user awareness of emerging threats.

Evolving out of higher education, Wombat are committed to providing customers with the highest level of security awareness and training.

Testimonials :-


“We have been using Wombat for over two years now and one of the reasons we chose to go with them was not just because we felt the product offered more than their competitors technically, but also because the user education experience had the edge with tone, pace, and multinational options. The product itself is constantly evolving, and there’s always something new to offer our colleagues by way of education.”

Lesley Marjoribanks, Customer & Colleague Security Awareness Manager at the Royal Bank of Scotland.

In the first week that I implemented Wombat’s training, 1,200 modules were completed, belonging to both a compulsory and voluntary module set. I initially gave the company three months to complete the compulsory training, and with just a polite monthly reminder, 80% of users completed the training. Users just really like doing the modules because of their look and feel, and because they want to be educated.

Apart from the resounding success of the compulsory campaign, I was really impressed with how many end users completed voluntary training – from June to December, 4,120 voluntary modules were completed. 100 staff members even did every module available! Mobile Device Security was a particularly popular voluntary module.

I ran a mock phishing attack on my users in March during Veolia’s internal cyber and physical Security Week – only 700 people out of 5,300 email address targeted clicked on a link within the email. Because of this low number, we decided to challenge our users during the next mock phishing test in November/December 2017. We used an attachment-based simulation and more corporate-looking emails – this saw more people falling for the test who hadn’t before. So now we have planned the next mandatory education model to be Wombat’s Avoiding Dangerous Attachments module. And that’s the beauty of the whole Wombat approach — you can identify the problem, then apply an instant, ready-made solution.

The ROI of the training has been immense, with the equivalent of 250 entire days of training being delivered from June until October 2017 – an impressive number considering that the modules only take around 15 minutes to complete. We’re also using Wombat’s modules as a quick and easy solution to our GDPR training requirements. Whilst most of the business is waiting for a comprehensive training delivery from the Legal department, in the Information Systems and Technology department (who have acted as guinea pigs) we have trained our 160-strong team using Wombat’s GDPR training module. Our team are now more ready to tackle the issues than most.”

John Hield, DPO and Information Security & Compliance Manager at Veolia UK & Ireland.

“We included Wombat’s security awareness and training platform in our Cyber Security Program to support us in fulfilling the requirements of the Financial Market Supervisory Authority. Wombat’s Continuous Training Methodology was an ideal fit for our organization as it offers the opportunity to perform regular training during the whole year with minimal disruption to normal working activities. 

Wombat’s web-based solution is also easy to extend and leverage, and our end users have found the tools to be intuitive to handle and use. We liked that there was no software deployment requirement and that it allows us access from everywhere over the internet. In addition, Wombat’s support for multiple languages is particularly useful for our multicultural company, and we appreciate that the extensive reporting functionalities allow us to track our efforts and communicate metrics to our stakeholders.”

Roberto Huber, Advisory Security Officer at Avaloq Sourcing SA.