Add to collection(s) Add to saved
  1. No category
Uploaded by karen

Security-Awareness-Report

8/1/2019
Gartner Reprint
Licensed for Distribution
Magic Quadrant for Security Awareness Computer-Based
Training
Published 18 July 2019 - ID G00378818 - 46 min read
By Analysts Joanna Huisman
People influence security more than technology or policy, and cybercriminals know how to
exploit human behaviors. Security and risk management leaders should invest in tools that
increase awareness and influence behavior that supports security business objectives through
computer-based training.
Strategic Planning Assumption
By 2022, 60% of large/enterprise organizations will have comprehensive security awareness training
programs, with at least one dedicated full-time equivalent (FTE) for fulfillment.
Market Definition/Description
This document was revised on 24 July 2019. The document you are viewing is the corrected version.
For more information, see the Corrections
(http://www.gartner.com/technology/about/policies/current_corrections.jsp) page on gartner.com.
People affect security outcomes more than technology, policies or processes. The market for
security awareness computer-based training (CBT) is driven by the recognition that, without perfect
cybersecurity protection systems, people play a critical role in an organization’s overall security and
risk posture. This role is defined by inherent strengths and weaknesses: people’s ability to learn and
their vulnerability to error, exploitation and manipulation.
End-user-focused security education and training is a rapidly growing market. Demand is fueled by
the needs of security and risk management (SRM) leaders to help influence the behaviors that affect
the security of employees, citizens and consumers.
Interactive CBT is a central component of comprehensive security education and behavior
management programs. The focus and structure of the content delivered by CBT vary, as do the
duration of individual CBT modules and the type of computing endpoints supported. Understanding
the diversity of people in the organization is as important to SRM leaders as understanding how
security fits into an organization’s larger goals.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
1/30
8/1/2019
Gartner Reprint
Security needs require chief information security officers (CISOs) and employee communication
leaders — such as human resource (HR) managers — to recognize the increasing impact of employee
behavior on enterprise SRM efficacy. This is due in no small part to increased enterprise and
employee adoption of mobile, Internet of Things (IoT) and cloud products.
Security Awareness Is a Far-Reaching Concept
As often emphasized in Gartner research on security awareness, security decisions are closely linked
to business objectives. This research focuses on the appreciable market space in which education
materials are offered. In this research, Gartner uses “security education” to refer to the overarching
set of activities and objectives that elevates security competencies and motivates employees to
make better decisions in line with the organization data security postures. The organization’s
education process should prepare the staff for decisions that align with enterprise security
performance objectives and expectations.
Awareness of threats and mitigating actions is one function of a security education program. Direct
behavioral conditioning — such as anti-phishing projects (see Note 1) — is another form of security
education. Others include security communication and internal marketing campaigns, involving
posters, competitions and advertising-style messaging.
Products with different objectives for security education share the ultimate goal of supporting
enterprise requirements for the management of security risks. Security education can fulfill multiple
objectives and requirements, including:
■ Complying with regulations that mandate security training
■ Establishing clear behavioral guidelines to support disciplinary processes, which are typically
described in acceptable-use and/or security policies
■ Improving employee knowledge of security and risk topics
■ Motivating desired security behaviors in the appropriate context
Education and awareness CBT are licensed on a per-user, per-year pricing structure, with limited
exceptions.
Security education CBT is suitable for organizations of all sizes and is of particular use to
geographically distributed organizations that need common security performance across all
employee groups. The increasing diversity of CBT offerings requires prospective buyers to clarify the
learning outcomes they are looking for prior to vendor engagement.
Relevancy and adaptation are key imperatives for SRM leaders. Most organizations have invested in
some form of security awareness activities for decades. New technologies, threats and patterns of
work compel organizations to seek more-sophisticated behavioral support approaches. These
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
2/30
8/1/2019
Gartner Reprint
incorporate a broad range of deployment models, increased frequency of learning opportunities,
context-specific training content and structure, and metrics that support continued investment in
awareness and security education.
Many SRM leaders prioritize the evidence of the effectiveness, or ROI, of the security awareness
program. The result is an increasing demand for the measurement of persistent learning outcomes.
Some organizations offer preassessment, so that employees can “test out” some of the courseware,
if they are able to demonstrate knowledge mastery, and to create a baseline by which future
performance can be measured.
The market for CBT for security awareness is characterized by vendor portfolios that include readyto-use, interactive software modules. These modules are available as internet-based services or onpremises deployments via client-managed learning management systems (LMSs) and vendor
support for the Sharable Content Object Reference Model (SCORM) standard. The products included
in this Magic Quadrant support multilingual and multicultural audiences — that is, they are available
in English and at least one other language. They offer delivery via a variety of digital endpoints and
assessments of trainee participation and completion.
Vendors that support this market target end-user organizations of all sizes. However, enterprise
clients commonly demand ancillary capabilities, such as customization of content, creation of new
content, and advanced assessment and reporting capabilities (see “Effective Security Awareness
Starts With Defined Objectives”). They must also integrate security education CBT into a consistent
program of security maturity improvement across the enterprise.
Market Trends
As products in this market mature, each vendor looks to differentiate its products and services in a
variety of ways. At the end of the day, content continues to be paramount. Vendor differentiators in
2018 and 2019 are described in the sections that follow.
Variety of Content Formats, Lengths and Styles, Including Mobile Capabilities
Content continues to be the most prominent differentiator. Many clients and vendors recognize that
their security training cannot effectively be approached with a “one-size-fits-all” mentality. They are
developing content of different lengths (one- to two-minute microlearning lessons, interactive
lessons, and episode-based, Netflix-like shows) and in different styles — e.g., ranging from extremely
corporate-friendly and “safe” to more edgy, humorous styles. Learners have different styles (e.g.,
visual, aural, logical, verbal, physical, social and solitary), which means audiences can receive the
same information in multiple forms, thereby increasing the possibility for information absorption and
retention. Customization of content also addresses the needs of particular roles or audiences. For
instance, although training for all audiences should include foundational awareness, there may be a
need for additional/different training for call center employees, executives or HR personnel.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
3/30
8/1/2019
Gartner Reprint
Many vendors are also offering content that reflects diversity of characters (elements of the learning)
with a more global perspective. The more relatable the content is to the learner, the more interested
and engaged they will be. This also increases the potential of increased followership across your
awareness curriculum. The potential for mobile attack is increasing. Many vendors offer not only
content that can be delivered via mobile device, but also phishing campaigns. Clients that have large
moving populations need to consider “learning-on-the-go” and a good alternative to traditional CBT
methods.
Gamification
Some vendors include a focus on gamification, although the definition of gamification varies from
vendor to vendor. Clients initially expect an experience that is similar to Xbox or PlayStation, but
quickly realize that the security awareness gamified content is nowhere near that level of
sophistication. In this context, “gamification” includes the establishment of multidepartment
leaderboards and badges, so that departments/employees are ranked against each other in various
ways. Some vendors that provide gamification as an option are also thinking differently about reward
and recognition options for users who exhibit heightened security behaviors (see “Rewards and
Consequences Motivate Employee Secure Behavior”). Some vendors are also introducing virtual
reality content to provide learners with unique experiences.
Multilanguage Support
Most long-standing vendors offer support for all major language groups. However, many vendors are
now distinguishing themselves by offering out-of-the-box language support for 20 or more languages,
and some offer more than 50 languages, including cultural variants/dialects of languages. However,
Gartner recommends that organizations verify the accuracy of languages with their own in-country
personnel before deploying pretranslated materials. Although some vendors promote many
languages, only subsets of their library are offered in every language. Demand clarification upfront on
what is translated into all the languages you require across your enterprise.
Supplemental Internal Marketing Content
In recognizing that SRM leaders are not full-time content writers, graphic designers or marketing
experts, many security awareness CBT vendors offer large libraries of predesigned content to serve
as additional/supplemental campaign artifacts or for ad hoc communications. These can include
materials for newsletters, intranet postings, emails, security alerts, digital banners and security
information for families and more.
Competitive Pricing
Price continues to be the biggest disruptor in the market. As a result, most of the vendors in this
space offer some free CBT or internal marketing materials. Some vendors have adjusted pricing
downward to differentiate on price and to seek a large share of the small or midsize business (SMB)
market, which will not tolerate traditional pricing for products. The current pricing environment feels
like a race to the bottom; it is certainly a buyer’s market, in which the art of negotiation and
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
4/30
8/1/2019
Gartner Reprint
competitive bids go a long way toward savings for like services. Gartner cautions clients to ensure
they’re comparing the price of “like” products and services.
Integration Partnerships and Possibilities
Some vendors are also exploring interesting partnerships with core security technology vendors,
such as employee-monitoring vendors, endpoint detection and response (EDR) vendors, endpoint
protection platform (EPP) vendors, secure email gateway (SEG) vendors, data security vendors and
others. The goal of such partnerships is to be able to:
■ Leverage real-time data generated or collected by core technologies
■ Log data to provide just-in-time learning, based on observed unsecure behavior exhibited by an
employee
■ Provide a comprehensive product that covers technology to human behavior
When unsecure or risky behavior is logged, the behavior could trigger autoenrollment into a
contextually relevant training module. This is a natural evolution of the anti-phishing behavior
management market. The aim is to create observed and individualized, behavior-based training
specifically relevant to the learner.
Market Dynamics and Growth
The market for security awareness CBT became dynamic in 2017, and this dynamism continues.
Multiple mergers and acquisitions occurred in 2018, resulting in market consolidation. This
movement indicates an ongoing trend — i.e., additional mergers and acquisitions (M&A). This
research focuses primarily on the vendor market performance during the 2018 calendar year, but also
includes market and capability changes that took place in the first quarter of 2019.
In 2018, the market grew to roughly $451 million, which falls approximately $40 million short of our
original projection. This miss was the result of inaccurate reporting from two separate vendors.
However, all indications suggest that the market is well-positioned for high growth and will remain so
during the next five years. We estimate the market will grow by approximately 47% in 2019 and reach
$660 million (see Note 2). Gartner continues to experience an increase in inquiries year over year, as
end-user organizations continue to struggle with changing employee behaviors with respect to the
security and protection of valuable assets.
The market has experienced nearly 25% growth from 2017 through 2018. Most organizations of any
size need to provide security training for their employees, due to regulatory requirements and other
internal objectives. Product vendors mine a large, anticipated, total addressable market
(approximately $2.5 billion, depending on product price tolerances). Gartner anticipates the market
will grow at a 42% compound annual growth rate (CAGR) through at least 2023.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
5/30
8/1/2019
Gartner Reprint
Advice to SRM Leaders Purchasing Security Awareness CBTs
CISOs and other purchasers of security awareness CBT products should resist basing their vendor
evaluations solely on technical/functional requirements. Security awareness materials are the
touchpoint of the security department for the rest of the organization. As such, ensuring that the
tone, production value, and overall look and feel of the product are a good match for your specific
organization is fundamental to success. Comparisons are important when considering interfaces
and user experience. If the product you are evaluating does not have content and an interface that is
as good as or better than anything else your company has released, then other vendors should be
evaluated.
Magic Quadrant
Figure 1. Magic Quadrant for Security Awareness Computer-Based Training
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
6/30
8/1/2019
Gartner Reprint
Vendor Strengths and Cautions
Barracuda
Barracuda acquired PhishLine in January 2018 and markets Barracuda PhishLine as a key
component of Barracuda’s Total Email Protection product.
Barracuda PhishLine is an anti-phishing behavior management and security awareness CBT product
with a strong focus on the data science of phishing measurement. Along with Barracuda PhishLine’s
library of CBT content, the company partners with six security providers to offer clients CBT content
through its Content Center Marketplace, which is able to meet the needs of many learners and styles.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
7/30
8/1/2019
Gartner Reprint
Barracuda PhishLine’s content is completely customizable and user-friendly. Through its Click
Thinking bundle, it provides monthly content updates, including training videos, newsletters,
infographics, email templates and landing page content. Extensive analytics enable more complex
behavioral assessment and targeted education than is common with competitive anti-phishing
products. Assessment capabilities include a variety of social engineering and phishing simulations
that enable users to apply and demonstrate acquired knowledge.
Content is offered in 21 languages.
Strengths
■ Barracuda PhishLine offers a data-scientist-level view into how to create a simulated phishing
attack, which can assist with continuous performance improvements and how to measure and
report on the data available through simulated phishing tests and CBT assessments. Thus, it gives
end users insight into how effectively their phishing simulation training is performing.
■ Barracuda PhishLine’s Content Center Marketplace provides a simple platform from which
customers can choose from a variety of CBT modules and associated content from multiple
vendors; the content is then aligned to specific, Barracuda PhishLine-created, social engineering
testing.
Cautions
■ PhishLine has been Privacy Shield certified since 2016, which ensures that all stored personally
identifiable information (PII) meets all data privacy regulatory requirements, including the General
Data Protection Regulation (GDPR). That said, some clients have expressed concerns about the
amount of data that can be collected and analyzed. Customers with data collection and privacy
concerns should ensure that Barracuda PhishLine deploys advanced configuration options that
address their individual regulatory or other security/privacy needs.
■ Although Barracuda PhishLine focuses on phishing and provides security awareness and training
artifacts, its CBT package is not as robust and innovative as many of the market leaders.
Cofense
PhishMe was acquired through a private equity consortium in February 2018 and renamed Cofense.
Cofense benefits from strong brand recognition in the security awareness market with its former
PhishMe name. Its approach to CBT is “learning through doing.” Cofense’s strategy is focused on
training users to spot and report phishing attacks, and then using that opportunity to provide
immediate training and reinforcement. Its large market base enables Cofense to benchmark client
performance against industry performance. This capability is supported by flexible analysis and
advanced reporting capabilities, including executive-level board reports.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
8/30
8/1/2019
Gartner Reprint
In addition to anti-phishing, Cofense offers a moderate library of interactive content that incorporates
games, videos and a variety of learning artifacts. It also offers CBFree, a set of standard compliance
courses offered free to all enterprises. Cofense offers the only free content and anti-phishing product,
PhishMe Free, which provides a no-cost phishing and CBT product to small businesses with fewer
than 500 employees.
Content is offered in 56 languages.
Strengths
■ Industry-leading Cofense Reporter and Cofense Triage enable users to report suspected phishing
emails via a “report” button in their email. Incident response teams can use these features for
significant automated analysis, risk ranking and orchestration of real phishing attacks.
■ Advanced and flexible analysis and reporting enable training optimization and phishing
vulnerability assessment.
Cautions
■ Although Cofense focuses on phishing and provides a number of security awareness and training
artifacts and a free service offer, its CBT package is not as robust and innovative as many of the
market leaders.
■ Although Cofense has an established a content library, clients would benefit if Cofense expanded
and strengthened its partner approach to diversify its content offering.
Global Learning Systems
Global Learning Systems (GLS) offers strong learning services in the design, development,
deployment and ongoing management of security training. The vendor offers a wide range of
scalable, multilanguage, customizable products through its continuously expanding GLS OnDemand
Learning Management System (LMS), which features portal functionality. Its Securing Your Human
Firewall covers topics such as traditional security awareness information and regulatory compliance.
GLS segments its offering into distinctive, user-friendly bundles, and clients can quickly create,
deliver and track training via the LMS.
Its offerings cover general and role-specific security awareness, anti-phishing, GDPR, ethics, Health
Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard
(PCI-DSS), privacy and other compliance topics. GLS can address the needs of its clients’ businesses,
while providing a roadmap as needs change and programs mature. The vendor offers a good
assessment tool, SecureGenius, for ongoing evaluation of competency levels in a user base. GLS’s
integrated anti-phishing testing and remediation capabilities create a comprehensive portfolio for
security education and behavior management. GLS continues to grow its gamified content, animated
video product suite, and internal marketing and communication tools.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
9/30
8/1/2019
Gartner Reprint
Content is offered in 34 languages.
Strengths
■ GLS offers an out-of-the-box product for security awareness managers who need an immediate
multiyear roadmap with prestructured campaigns and supporting materials. GLS also provides
expanded professional services, internal marketing and communication tools designed to promote
ongoing reinforcement.
■ The interactive training content and varied formats are designed to keep learners engaged,
reinforce core messages and aid in knowledge retention. Optimization for content presentation on
smartphones and tablets provides strong support for modern endpoint portfolios and digital
workplaces.
Cautions
■ Although GLS maintains its focus on international growth, its U.S.-centric sales may inhibit uptake
of the product by clients outside North America. Clients should watch how the company prioritizes
growth outside the region.
■ The vendor provides several useful options and products to its clients and prospect base, but GLS
needs to strengthen its brand recognition when competing with market leaders. GLS needs to
continue focusing on expanding marketing efforts to reach a broader share of the market.
Infosec
Infosec continues to be one of the fastest-growing providers in the security awareness space.
Infosec provides a strong general security awareness program, while offering skills training and
certifications for IT security professionals. Infosec has several distinct approaches. Infosec IQ offers
precise training to all employees. It combines anti-phishing simulation, general security awareness
CBT and role-based training into a 12-month, best-practices program with a default curriculum.
Infosec Skills focuses on skill and career advancement of IT professionals, whereas Infosec Flex
assists IT professionals through boot camp learning environments.
Infosec offers the largest and most diverse variety of CBT security awareness topics for general
awareness and for role-based and security professionals, coupled with pre-engagement surveys,
preassessments, quizzes and survey assessments. Infosec has expanded its target market outside
large/enterprise companies and is now competing heavily for the SMB market share. Infosec offers a
variety of packages and pricing options to meet the unique educational needs of any size
organization. Also, Infosec has a “match or exceed” pricing program, allowing it to remain
competitive among the more prominent vendors.
Content is offered in 32 languages.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
10/30
8/1/2019
Gartner Reprint
Strengths
■ Infosec provides high-touch customer service and works with clients and prospects to tailor
content for general security awareness training, or for a role-based, industry or IT professional
focus.
■ Infosec offers a broad range of security awareness training, meeting most key enterprise needs. It
focuses on growing and diversifying its content to offer multiple varieties and flavors for any single
topic of learning.
Cautions
■ Although language support for training modules and assessments is good, not every Infosec IQ
module is localized in every language that may be required by some multicultural enterprises and
audiences.
■ To compete with other leaders in this market, Infosec needs to focus on marketing. Infosec has
solid recognition in the IT professional training/certification sector. The company needs to
continue strengthening its brand in the general awareness space to avoid being prematurely left
off customer shortlists.
Inspired eLearning
Inspired eLearning (IeL) continues to provide a large portfolio of current, role-based turnkey content
and phishing simulations through its Security First and PhishProof products. The vendor’s training
content is available in user-friendly packages — Select, Preferred and Elite — that adapt as
organizational needs change and mature. These product packages can be tailored to fit an
organization’s needs. Inspired eLearning also offers HR and Compliance training programs. The
vendor offers a solid assessment tool, Cybersecurity Quotient (CyQ), which enables customers to
identify and quantify high-risk areas in the organization.
The CBT portfolio is augmented with internal marketing tools, such as newsletters, security alerts
and reminders, and instructional design and customization services. Multilingual support across
multiple media is available for diverse employee populations. The Inspired eLearning mobile app
enables your audience to download content directly to their mobile devices, so learners can complete
training on their own schedule.
Inspired eLearning has more than 15 years of experience using proven adult-learning principles and
immersive educational experiences to prepare learners to defend themselves and their organizations
from an ever-evolving cyberthreat landscape.
Content is offered in more than 40 languages.
Strengths
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
11/30
8/1/2019
Gartner Reprint
■ Inspired eLearning continues to innovate in new security awareness education paradigms, such as
virtual reality and mobile learning. These enhancements boost learner engagement and the ability
to recall important security tactics to identity and report security threats to your organization.
■ Inspired eLearning’s Security First offering is its most channel-friendly offering. Its accelerated
onboarding, automated program execution, and systemic generation of roll-up and role-based
reporting make it easier to track learner progress and security-risk value across single or multiple
organizations.
Cautions
■ The lack of a physical presence beyond the U.S. may be an obstacle for clients based outside
North America. Clients should investigate how multilanguage support can enhance service.
■ Inspired eLearning needs to focus on extending its reach, finding new ways to position and
differentiate itself from market leaders, and making a favorable impact on consumers through
engaging and interesting marketing techniques.
Junglemap
Junglemap’s NanoLearning method is based on a process of delivering a three-minute digital security
lesson to employees every three weeks, all year round. This is designed to transfer knowledge in
small-enough modules to align with today´s user impatience and attention spans, mobile workstyles,
and to create and maintain organizational alertness and dialogue around information security
throughout the year.
Junglemap offers a portfolio of separate processes for employees, managers, executives and board
members for businesses, the public sector and healthcare. With the increased demands of
leadership and digital transformation pressing on business leaders, Junglemap addresses this
group’s need for fundamental and special track learning in security matters. Junglemap has a large
client base in Europe and enjoys a growing client base in the U.S.
Content is offered in more than 44 languages; agency and AI-based translation services are available.
Strengths
■ NanoLearning has been proved to be highly effective in creating lasting organizational awareness.
■ End-user satisfaction with the NanoLearning method is high, because it requires little time to
complete any given module, and modules are spread out in time.
Cautions
■ Junglemap is a nascent entry in the U.S. market.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
12/30
8/1/2019
Gartner Reprint
■ To compete with the leaders in this space, Junglemap needs to market the integral benefits of its
approach and service in this space.
KnowBe4
KnowBe4 continues to be the fastest-growing vendor in this space in revenue and customer count.
KnowBe4 markets anti-phishing behavior management, coupled with general security awareness CBT
offered through a variety of comprehensive packages. Its most popular offering level, Diamond,
provides access to the industry’s largest library of general security awareness content, as a result of
numerous acquisitions and partnerships. KnowBe4 is skilled at acquiring and partnering with content
providers, enabling it to offer its clients the most engaging and innovative security awareness
content available through its Modular Store (ModStore)
Recently, through a partnership with Twist & Shout Media, KnowBe4 has created a new story-driven
episode series called The Inside Man, providing a movielike experience for learners. KnowBe4
continues to offer several free tools to help clients proactively understand and, in turn, secure their
footprint from mischief and missteps. KnowBe4’s newest product, PhishER, allows incident response
teams to evaluate and automate the management of suspected phishing emails reported via the
vendor’s “Phish Alert Button.” This helps create a closed-loop ecosystem in which trained employees
can report suspected threats, and the incident response team is equipped with the tools necessary to
evaluate and respond to the threats. KnowBe4’s platform also has capabilities to improve employee
resistance to different kinds of social engineering attacks through various forms of penetration tests.
Content is offered in 35 languages.
Strengths
■ KnowBe4 has an aggressive M&A strategy. It invests heavily in its company, uses the parts of the
acquired companies to improve what it offers and, as a result, is winning customers with its
continued focus on innovation.
■ KnowBe4 maintains an aggressive pricing structure that’s attractive to any size company looking
to purchase security awareness and anti-phishing behavior management products. It often offers
the most-competitive quotes.
Cautions
■ Clients should ensure that account services staff are familiar with relevant awareness topics and
practices for a more complete service experience.
■ Most clients will need guidance to effectively build content into their core curricula. As KnowBe4’s
content library continues to grow, the company should find new ways to organize it to ensure it is
more user-friendly for admins to provide the most value to their clients.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
13/30
8/1/2019
Gartner Reprint
MediaPRO
MediaPRO provides all the components needed to run a complete security awareness program.
MediaPRO TrainingPacks combine highly flexible, out-of-the-box courses with internal marketing and
reinforcement tools, reports, anti-phishing campaigns and knowledge assessments. Its CourseFlex
technology enables the automatic personalization of courses to deliver only the training that each
learner needs. Enterprise customers have noted that content can be customized easily and quickly.
MediaPRO also provides Human Risk Scorecards measured across eight categories to understand
the readiness level of each employee.
MediaPRO regularly adds to and updates content to align with risks and use cases. Content is
interactive, with a nearly continuous assessment of skills and knowledge acquisition. MediaPRO’s
phishing and knowledge assessment services are integrated with its CBT and LMS, enabling dynamic
delivery of CBT topics, based on user behavior and assessment responses.
Content is offered in 21 languages, and translation services are available.
Strengths
■ MediaPRO offers one of the most flexible integrated content products in this market. This enables
clients to simulate course customization and creation capabilities in an easy, drag-and-drop
environment.
■ MediaPRO’s ability to assign a risk score to each employee enables organizations to understand
the gaps across their enterprises and remedy them.
Cautions
■ MediaPRO’s phishing simulation tool is not as feature-rich as some other leading offerings, and
those whose primary focus is phishing would be wise to look elsewhere.
■ The MediaPRO brand name is not as well-known as some of its competitors, and, thus, it may be
prematurely dismissed from customer shortlists. It needs to ramp up its marketing efforts to be
more competitive with the other market leaders.
MetaCompliance
The cornerstone of the MetaCompliance approach to security awareness is threefold: keeping your
staff safe online, securing your digital assets and protecting your corporate reputation. The
MetaCompliance approach is anchored on bite-size, nanolearning awareness modules offered on a
variety of topics found in its Elements Library.
MetaCompliance encourages customers to build their own curricula to create highly focused learning
playbooks for their audiences. This approach is available for executives and senior business leaders.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
14/30
8/1/2019
Gartner Reprint
Strengths
■ The MetaCompliance approach to learning, increasing frequency, while decreasing time spent in
training, is continuously surfacing as a need for all enterprises.
■ The library of user-friendly, entertaining, CBT nanolearning provides a good umbrella of topics
most requested by Gartner clients.
Cautions
■ MetaCompliance does not enjoy the same level of brand awareness as many of its competitors.
As a result, it may be prematurely dismissed from customer shortlists, simply because it is not a
known name. It needs to reconsider its strategy in terms of geography, competition, differentiators
and pricing.
■ Organizations seeking a wide variety of CBT presentational formats and styles in multiple
languages may find MetaCompliance’s content limiting. Expanding content offerings into different
versions and flavors would be beneficial to a broader audience and reach.
PhishLabs
The PhishLabs training approach is anchored on increasing the frequency of training engagements,
while maximizing how adult learners consume information in small, bite-size portions. PhishLabs’
approach is engaging and focused. Its programs are offered in three bundles: Anti-Phishing
MicroLearnings, General Security MicroLearnings and Phishing Simulations.
PhishLabs has a laserlike focus on the nanolearning space, offering a level of experience and a
package of offerings that fits well with the needs of clients that are looking for this type of learning.
PhishLabs is also one of the only providers that offers a fully managed service.
Content is offered in 11 languages.
Strengths
■ PhishLabs’ approach to learning — increasing frequency, while decreasing time spent in training —
is continuously surfacing as a need for all enterprises.
■ The library of user-friendly, entertaining CBT nanolearning provides a good umbrella of topics most
requested by Gartner clients.
Cautions
■ PhishLabs does not enjoy the same level of brand awareness as many of its competitors. As such,
it may be prematurely dismissed from customer shortlists, simply because it is not well-known. It
needs to reconsider its strategy in terms of geography, competition, differentiators and pricing.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
15/30
8/1/2019
Gartner Reprint
■ Organizations seeking a wide variety of CBT presentational formats and styles in multiple
languages may find PhishLabs content limiting. Expanding content offerings into different versions
and flavors would be beneficial to a broader audience and reach.
Proofpoint
Cybersecurity company Proofpoint acquired Wombat Security in March 2018. The product is
marketed under Proofpoint Security Awareness Training. It can be sold stand-alone or in combination
with other Proofpoint products.
Proofpoint Security Awareness Training provides innovative security education and behavior
management CBT and continues to be a market leader. In addition to a portfolio of CBT on traditional
security awareness topics, Proofpoint provides effective phishing training and suspicious email
reporting, with an automated remediation product. Proofpoint provides extensive services in training
needs analysis, content development, CBT customization and security essentials training for
executives and other essential vertical/role-based positions. Proofpoint provides guidance on
curriculum scheduling, based on continuous assessment, refinement, targeted education and
behavioral metrics to optimize the retention of learned behaviors.
Proofpoint has a solid approach to learning anchored on learning science principles. Through its
Continuous Training Methodology, learners are provided a flexible, on-demand format that minimizes
disruptions to their daily work routines. Proofpoint also keeps adding to its series of clever
awareness video campaign as a companion to its current CBT offering to show the “lighter side” of
security awareness. Proofpoint has been focused on further expansion of its global footprint, with
more penetration into Europe and Asia. It has also taken aim at the SMB market, bundling and pricing
its products to deliver enterpriselike service at a small-business price.
Content is translated and localized in 37 languages.
Strengths
■ The company’s continuing innovation in support of measurable security performance also
supports the customers’ need to enhance risk mitigation based on intelligence from the changing
threat landscape and through the management of user behavior.
■ Proofpoint is well-suited to enterprises of all sizes looking to deploy broad-based security
awareness and anti-phishing training, with a consistent corporate look and feel that uses adultlearning principles applicable across a variety of learning styles.
Cautions
■ Organizations looking for a wide variety of CBT presentational formats and styles may find
Proofpoint’s content limiting.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
16/30
8/1/2019
Gartner Reprint
■ Proofpoint’s pricing remains relatively high, compared with many competitors, depending on the
bundle being purchased and the length of agreement.
SANS Institute
SANS Institute declined to provide data for use in the 2019 Magic Quadrant.
SANS continues to be a major force in the training market for IT security professionals, offering wellregarded certification and degree programs, such as the Global Information Assurance Certification
(GIAC). The SANS Security Awareness CBT portfolio is extensive, offering bite-size video modules
and a focus on general security awareness, specific vertical industries, regulatory environments and
roles, including senior leadership. With its extensive customer base in IT professional training and
security awareness, SANS offers a community approach to learning and information sharing. It
provides a practical understanding of what other companies are experiencing and how they are
remedying security awareness gaps.
The offering includes anti-phishing behavior management functionality for social engineering testing
in a flexible product that supplies security awareness out-of-the-box for organizations just beginning
their programs. It can support individual and varied learner needs associated with intermediate-tomature security awareness programs.
Content is offered with full voice-overs in 31 languages.
Strengths
■ A deep knowledge of IT security management, combined with adult-learning psychology and
design principles, is reflected in the company’s content and delivery of materials.
■ The large CBT portfolio covers the topics and roles that Gartner clients commonly request, using
formats such as videos, games and quizzes.
Cautions
■ Many organizations recognize the SANS brand as offering technical training and may have
concerns that its end-user training would be over the heads of less technologically oriented staff.
We encourage clients to evaluate the products, regardless of this market sentiment.
■ SANS’s fundamental approach to CBT involves video-based modules. Organizations looking for a
wide variety of CBT options that are not delivered via video may decide to complement SANS video
CBT with other training content. The vendor has shared plans with Gartner to diversify its content,
but nothing has been available in the market to date.
Security Innovation
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
17/30
8/1/2019
Gartner Reprint
Security Innovation provides a diverse set of application security and IT security training content,
including traditional CBT and videos. Industry-specific packaging is available for healthcare and
government, so customers easily assign the right curricula to their audiences. Its library of
supplemental materials, Security Awareness 365, includes tip sheets, posters, lunch-and-learn
activities, customer care assets, securing-your-home information, and immersive and scenario-based
learning modules. These are all offered in a variety of styles with full animation and narratives in local
languages. Security Innovation also offers customization at the course and program levels and
consulting services customers often bundle.
Security Innovation continues to advance cyber-range learning into general awareness through its
CMD+CTRL Cyber Range offering. This product supports the learn-by-doing approach, providing the
learner a realistic experience that allows staff to think like attackers, while competing in a gamified,
real-world environment.
Content is offered in 16 languages.
Strengths
■ Security Innovation’s use of diverse media, mixed durations, interactivity and changing visuals in
modules enhances the uptake and retention of new skills. Its ability to continuously innovate with
new learning approaches is beneficial to clients.
■ The vendor’s holistic life cycle approach to training management promotes close alignment with
enterprise risks and performance gaps and provides adults with a comprehensive experience.
Cautions
■ Security Innovation does not enjoy the same level of brand awareness as many of its competitors.
As such, it may be prematurely dismissed from customer shortlists simply because it is not wellknown. It needs to reconsider its strategy in terms of geography, competition, differentiators and
pricing.
■ When compared with other market leaders, the range of end-user-awareness topics covered by
Security Innovation may become limited as its program matures and looks to support varied and
deeper learning content.
Terranova Security
Terranova Security empowers its clients to cultivate a security mindset and culture with its proven
Terranova security awareness five-step framework. Terranova provides a large, diverse library of CBT
modules and supporting materials focused on general security, privacy and compliance awareness
supporting the “knowledge, support, motivation” behavior change theory. Its content is packaged for
vertical and role, so that customers can minimize the guess work when trying to build the right
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
18/30
8/1/2019
Gartner Reprint
curriculum to meet their needs. It also introduced a train-the-trainer module, for customers new to
operationalizing a security awareness program or new to leading this kind of training role.
Interactive content is supported by an abundance of internal marketing materials, as well as by
assessment and customization services. Terranova also provides anti-phishing simulation platform
and training. Preassessments and postassessments are available, and employee skills retention is
tested in each CBT module. Terranova provides strong support prior to implementation to enable
clients to select appropriate content for different user populations, and to develop effective
communication and deployment strategies. Terranova delivers its entire content library in the most
languages (including narration) of any vendor in this research, meeting the multilingual and
multicultural needs of most global enterprises.
Content is offered in 40 languages.
Strengths
■ Terranova supports each customer in a consultative manner, ensuring that proper customization
of content is achieved, and the learning paths are clearly defined and well-suited to the
organization’s selected roles and groups of learners.
■ Lessons are highly interactive, graphic-rich and instructionally designed for trainee engagement
and learning. Terranova has added gamification to increase user engagement and motivation.
Terranova added a course builder into its security awareness management platform (its LMS),
enabling targeted, role-based and modular awareness campaigns. Customers can build their
programs by integrating different content formats, including courses, modules, micro learning and
nanolearning.
Cautions
■ Terranova needs to continue its focus on brand awareness and to drive its marketing efforts. In
addition, growing its sales force is paramount to meeting its overall ability to grow its brand.
■ Terranova is a well-known brand in the Canadian market, with an impressive footprint in the U.S. It
will need to grow its global recognition by continuing to expand its international customer base.
Vendors Added and Dropped
We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of
these adjustments, the mix of vendors in a Magic Quadrant may change over time. A vendor’s
appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we
have changed our opinion of that vendor. It may reflect a change in the market and, therefore,
changed evaluation criteria, or of a change of focus by that vendor.
Added
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
19/30
8/1/2019
Gartner Reprint
■ PhishLabs — now meets the criteria
■ MetaCompliance — now meets the criteria
Dropped
■ Sophos — no longer meets the criteria
Inclusion and Exclusion Criteria
Gartner’s view of the market emphasizes transformational technologies or approaches delivering on
the future needs of end users. It is not focused only on the market as it is today.
Gartner defines “security awareness CBT” as the delivery of a standardized set of interactive security
education and/or security behavior management content to a trainee/user via an endpoint computing
device (e.g., a laptop, desktop or tablet). Training content focuses on general users of IT, not security
or IT professionals. Although customization of this content may be provided as a service, the
essential element is a catalog of core-training content.
Security education CBT excludes products delivered through vendor personnel on-site (e.g., live
training sessions), content delivered to trainees through noncomputing mechanisms (e.g., printed
manuals or newsletters), and services that produce novel, unique CBT products for single clients.
Inclusion Criteria
The inclusion criteria represent the specific attributes necessary for inclusion in this research. To
qualify for inclusion in the 2019 “Magic Quadrant for Security Awareness Computer-Based Training,”
vendors must:
■ Compete in the market for security education CBT, as defined above.
■ Demonstrate a competitive presence in end-user organizations.
■ Demonstrate ability to provide training content in English and 10 other languages.
■ Provide a diverse set of security content/curriculum.
■ Provide trainee performance assessments against defined learning outcomes.
■ Offer, through a vendor-owned technology or through a partnership, an automated social
engineering simulation tool — such as anti-phishing behavior management — for measuring
current behavior and promoting behavior change.
■ Demonstrate security education CBT revenue of more than $5 million and a security education
CBT customer count of more than 300.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
20/30
8/1/2019
Gartner Reprint
■ Be the original developer of the product. Although we examine strategic partnerships as part of
our analysis, we do not include resellers in our research.
Other Vendors of Note
The CBT market is dynamic. Gartner is continually being briefed by new vendors looking to meet the
market demand for high-quality and innovative CBT content, delivery mechanisms or adjacent
functionality. Although not included in this year’s Magic Quadrant, the vendors and products listed
below are worthy of note and may support one or more use cases well:
■ AwareGO
■ BeOne Development
■ Circadence
■ Cyware
■ Digital Defense
■ ERMProtect
■ Habitu8
■ Lunarline
■ Mimecast
■ NINJIO
■ Restricted Intelligence
■ Secure Mentem
■ Security Mentor
■ Sophos
■ ThreatAdvice
Evaluation Criteria
Ability to Execute
Product or Service: This criterion includes service and customer satisfaction in deployments of the
security education CBT. Execution considers factors involved in the selling, deployment and support
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
21/30
8/1/2019
Gartner Reprint
of the education product. Strong execution indicates that a company has clearly demonstrated that
its product has been successfully deployed and maintained, and that the company wins a large
percentage of engagements in competition with other vendors. Companies that execute strongly
generate persistent and pervasive brand awareness and loyalty among Gartner clients, and they are
mentioned regularly in inquiries with Gartner analysts. Execution is not strongly correlated with
company size or market share, although these factors can influence a company’s ability to execute
over time. Although sales success is a factor in the Ability to Execute, continuing innovation and
quality of the product portfolio have greater impact. Key features are weighted heavily. These include
multiple modules of software, content that covers topics commonly raised by Gartner clients,
customization of content, interactive learning experiences, content translations and support for
multiple types of endpoints. Support is determined by quality and breadth.
Overall Viability: This criterion includes overall financial health, prospects for continuing operations,
company history and demonstrated commitment to the security education market. All vendors were
asked to disclose comparable market data, such as revenue, quantity of customers, quantity of
trainees and competitive wins.
Sales Execution/Pricing: Gartner evaluates the company’s pricing, deal size and installed base. This
analysis includes the company’s sales and distribution operations and relationships. Pricing is
compared in terms of typical deployment models. The robustness of sales channels is a strong
factor.
Market Responsiveness/Record: Gartner’s analysis focuses on the company’s ability to support
changing client requirements for security performance management.
Marketing Execution: This criterion includes competitive visibility in client RFPs and competitive
visibility with other vendors. The prominence of product innovations in the market is a key factor, as
are pricing innovations. Support for multiple endpoint platforms is heavily weighted, as is the depth
of support for customization of content and structure of the product.
Customer Experience: Given the culture-specific and subjective nature of training effectiveness, this
factor is heavily weighted in our analysis. Customer satisfaction throughout the client-vendor
relationship is examined.
Operations: The experience and track record of company management in training
design/development and the security marketplace are critical factors. Effective training products can
be developed and marketed by small organizations. As a result, this factor focuses on the quality of
staffing, rather than the quantity of the personnel.
Table 1: Ability to Execute Evaluation Criteria
Evaluation Criteria
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
Weighting
22/30
8/1/2019
Gartner Reprint
Evaluation Criteria
Weighting
Product or Service
High
Overall Viability
Medium
Sales Execution/Pricing
High
Market Responsiveness/Record
High
Marketing Execution
Medium
Customer Experience
High
Operations
Low
Source: Gartner (July 2019)
Completeness of Vision
Market Understanding and Marketing Strategy: Gartner assesses these factors via interactions with
vendors, feedback from Gartner customers, and direct interactions with vendor products and
materials. We evaluate the vendor’s proven ability to anticipate market changes and lead customers
to optimal performance. We also examine the company’s understanding of and commitment to the
security education market.
Sales Strategy: This criterion includes customer relationship management (CRM) before purchase,
as well as during and after deployment of the product. Companies need to demonstrate an
understanding of the various decision makers and influencers in client organizations for security
education products. Channel and third-party ecosystem strategies also apply.
Offering (Product) Strategy: This factor focuses on a vendor’s product roadmap, current product
features, variety and volume of content types, and product performance. Integration of the CBT
product with other systems and capabilities — for example, LMS integration and LMS as a service —
is also examined. Strong emphasis is placed on vendor support for reporting mechanisms that
provide credible evidence of trainee progress, as well as improvement of security performance in the
context of defined learning outcomes.
Business Model: This criterion includes R&D spending, as well as the vendor’s approach to
developing new capabilities and features.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
23/30
8/1/2019
Gartner Reprint
Vertical/Industry Strategy: Although this Magic Quadrant is primarily focused on general end-user
security education, training for security and data-handling requirements aligned with specific
verticals/industries are considered.
Innovation: This factor is heavily weighted and focuses on innovation in the core product and
supporting services and products.
Geographic Strategy: This Magic Quadrant is global in scope, but many vendors demonstrate the
strongest performance in their home geographies — for example, U.S. vendors perform best in North
America. As a result, our analysis closely examines vendors’ ability to support geographic markets
beyond their home territories.
Table 2: Completeness of Vision Evaluation Criteria
Evaluation Criteria
Weighting
Market Understanding
High
Marketing Strategy
Medium
Sales Strategy
Medium
Offering (Product) Strategy
High
Business Model
Low
Vertical/Industry Strategy
Medium
Innovation
High
Geographic Strategy
Medium
Source: Gartner (July 2019)
Quadrant Descriptions
Leaders
The security education CBT Leaders quadrant is composed of vendors that:
■ Provide products that are a good match to market requirements
■ Have been the most successful in building a customer base and revenue stream in the CBT market
■ Have relatively high viability (due to CBT revenue)
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
24/30
8/1/2019
Gartner Reprint
In addition to providing CBT that is a good match to customer requirements, Leaders also show
evidence of superior vision and execution for anticipated requirements. They typically have relatively
high market share and/or strong revenue growth and provide a range of CBT capabilities that target
education and behavior management. Leaders have a demonstrable track record of content revision
and expansion to meet market requirements. They have demonstrated positive customer feedback
for effective CBT and related services, as well as focusing intently on anticipating market needs and
evolving accordingly.
Challengers
The Challengers quadrant includes vendors that have a sustainable customer base and revenue,
proven market relevance and adaptability, and products that meet most market requirements.
Vendors in this quadrant typically have strong execution capabilities, as evidenced by financial
resources, significant sales, customer counts and brand presence garnered from the company as a
whole or from other factors. However, Challengers have not demonstrated as rich a capability or
track record for CBT offerings as vendors in the Leaders quadrant.
Visionaries
The Visionaries quadrant is composed of vendors providing CBT products that are good functional
matches to general security education market requirements; however, these vendors have a lower
Ability to Execute score than the Leaders. This is typically due to a smaller presence in the market
than the Leaders, as measured by installed base, revenue size or growth, a smaller overall company
size, or general viability. Visionaries may also be vendors that have specifically chosen to focus with
excellence on an innovative subset of market needs.
Niche Players
The Niche Players quadrant is composed primarily of smaller vendors providing security education
CBT that matches specific security education use cases, which are a subset of CBT market
requirements. Niche Players focus on a particular segment of the client base, or a more limited
product set. An ability to outperform or innovate may be affected by this narrow focus. Vendors in
this quadrant may have a small installed base, or they may be limited, according to Gartner’s criteria,
by a number of factors. These factors may include limited investments or capabilities, a
geographically limited footprint, or other inhibitors to providing a broader set of capabilities to
enterprises now and during the 12-month planning horizon. Inclusion in this quadrant does not reflect
negatively on the vendor’s value in the more narrowly focused service spectrum.
Context
The security education CBT market continues to be a rapidly growing market focused on delivery of
content for end-user security awareness. The market is evolving as it looks to provide demonstrable
benefit to organizations, rather than just being a regulatory compliance “check box.”
Innovations currently focus on:
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
25/30
8/1/2019
Gartner Reprint
■ Artificial intelligence (AI) offering individualized and personalized learning experiences that mirror
learning styles, increasing consumption and retention of critical information
■ Behavioral intervention (which began with anti-phishing behavior management toolsets and is
evolving into other integrations with more-traditional security controls)
■ Wide, diverse content sets, styles and materials to support multiple learner contexts
■ Robust LMS platforms that enable content assignment, as well as metrics reporting
■ Support for large sets of languages to enable global delivery of content
■ Intersection with threat intelligence, EDR and incident response to enable tailored, context relevant
training/testing content, as well as the ability to quickly analyze reported/suspected phishing
emails and determine their risk
The structure and content of products remain dynamic in response to changing threats and
employee behaviors. Continual changes in the devices that workers use and the locations where
work is conducted are forcing organizations to influence employees’ security behavior and improve
their security performance in workplaces. This ongoing change in the digital workplace erodes the
efficacy of static education programs, driving enterprises to seek regular updates and improvements
to the structure and focus of security education. Demand for innovative products that drive validated
improvement in security performance is increasing, as is the demand for robust training performance
metrics and reporting.
Market Overview
Market growth in security education continues to be driven by threats to the enterprise, such as
hackers aiming to exploit employees through phishing attempts, leading to installed malware or
stolen credentials. There is increasing recognition that relying solely on technology to secure an
organization’s critical assets is not enough; therefore, educating employees on the various
techniques used by bad actors can improve the overall security posture and reduce risks. Continuous,
drastic changes with respect to privacy regulations have end-user organizations requiring further
education for employees as to why policies and procedures must be followed and what the risks are
to the organization.
Employees must recognize the potential for reputational and, more seriously, financial damage,
should a breach occur. The combination of increased risks and a lack of internal expertise pushes
many CISOs to seek products in the market that are capable of producing measurable improvements
in employee security behavior. To support security objectives, employees need skills, knowledge and
motivation. Security education focuses on developing secure employees who, in turn, enable security
performance, follow internal policies and procedures, and adhere to regulatory compliance.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
26/30
8/1/2019
Gartner Reprint
This Magic Quadrant focuses on the portion of the overall security education market that is most
often discussed by Gartner clients: security education delivered to employees via digital endpoints.
Within that context, market growth is extremely robust.
Evidence
The analysis in this document is based on information from a number of sources:
■ Gartner customer inquiries and information sharing related to security awareness CBTs
■ Gartner customer inquiries and information sharing related to security awareness program
development and trends
■ Analyst interactions with Gartner customers via inquiries and meetings
■ Survey of security awareness CBT vendors
■ Survey of security awareness CBT reference customers
Note 1
Anti-Phishing Behavioral Conditioning
A number of vendors provide products that focus on reducing the frequency with which employees
click on URLs in phishing emails. Although each vendor provides a unique product, the basic
approach is the same:
■ Phishing emails are sent to employees.
■ Employees who click on the URLs therein are immediately pushed into a CBT session.
■ Click rates and refusals to click on URLs are recorded for longitudinal trend analysis.
This approach has proved to be effective at diminishing the success of phishing attacks. By tightly
coupling the clicking on URLs with participating in CBT, these products are able to provide valid
evidence of a causal correlation between CBT participation and behavior change. In turn, this
provides support for claims of positive ROI from such products.
Note 2
Calculating Market Size for Security Awareness CBT
The revenue projections for vendors rated in this Magic Quadrant account for approximately $451
million for 2019. The $660 million anticipated revenue for 2019 is calculated by looking at the
combined revenue for the vendors tracked as part of the Magic Quadrant process. We then added an
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
27/30
8/1/2019
Gartner Reprint
additional 30% to account for other vendors that are not tracked/rated as part of this process, which
are small/regional vendors, or are unknown to us.
Evaluation Criteria Definitions
Ability to Execute
Product/Service: Core goods and services offered by the vendor for the defined market. This
includes current product/service capabilities, quality, feature sets, skills and so on, whether offered
natively or through OEM agreements/partnerships as defined in the market definition and detailed in
the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization's financial health, the
financial and practical success of the business unit, and the likelihood that the individual business
unit will continue investing in the product, will continue offering the product and will advance the
state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that
supports them. This includes deal management, pricing and negotiation, presales support, and the
overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve
competitive success as opportunities develop, competitors act, customer needs evolve and market
dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the
organization's message to influence the market, promote the brand and business, increase
awareness of the products, and establish a positive identification with the product/brand and
organization in the minds of buyers. This "mind share" can be driven by a combination of publicity,
promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be
successful with the products evaluated. Specifically, this includes the ways customers receive
technical support or account support. This can also include ancillary tools, customer support
programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the
quality of the organizational structure, including skills, experiences, programs, systems and other
vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate
those into products and services. Vendors that show the highest degree of vision listen to and
understand buyers' wants and needs, and can shape or enhance those with their added vision.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
28/30
8/1/2019
Gartner Reprint
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout
the organization and externalized through the website, advertising, customer programs and
positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and
indirect sales, marketing, service, and communication affiliates that extend the scope and depth of
market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that
emphasizes differentiation, functionality, methodology and feature sets as they map to current and
future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the
specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital
for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the
specific needs of geographies outside the "home" or native geography, either directly or through
partners, channels and subsidiaries as appropriate for that geography and market.
© 2019Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its
affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written
permission. It consists of the opinions of Gartner's research organization, which should not be construed as
statements of fact. While the information contained in this publication has been obtained from sources believed to
be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment
advice and its research should not be construed or used as such. Your access and use of this publication are
governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its
research is produced independently by its research organization without input or influence from any third party. For
further information, see "Guiding Principles on Independence and Objectivity."
About
Careers
Newsroom
Policies
Site Index
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
IT Glossary
Gartner Blog Network
Contact
Send Feedback
29/30
8/1/2019
Gartner Reprint
© 2018 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
https://www.gartner.com/doc/reprints?id=1-1OC8XZ64&ct=190731&st=sb
30/30
Related documents
planning a fair test
planning a fair test
Berdasarkan artikel di bawah ini susunlah suatu kesimpulan mengenai IT... berdasarkan analisa Gartner!
Berdasarkan artikel di bawah ini susunlah suatu kesimpulan mengenai IT... berdasarkan analisa Gartner!
Bringing it all together
Bringing it all together
Read the Full Report here: Gartner 2013 Magic Quadrant for Blade Servers
Read the Full Report here: Gartner 2013 Magic Quadrant for Blade Servers
DOCTORATE IN CLINICAL PSYCHOLOGY
DOCTORATE IN CLINICAL PSYCHOLOGY
Download