Let’s face it, employees don’t care about security awareness training. That’s because most companies are still approaching it in the wrong way. Employees join a company and are thrown into long and boring security training straight away. The training is not very interactive or engaging, it usually includes pages of daunting documentation and often makes use of low budget videos that barely get the message across. And then, once that initial training is done, that’s it. The box is ticked, and employees get on with their new roles.
The point is, that employees must immediately go through large numbers of modules, to achieve “compliance.” And while compliance is obviously important, it needs to be tightly connected to business value, enterprise security, and employees’ personal motivations. But too often, those connections aren’t made.
In many organisations, there’s little follow-up after an employee’s first cybersecurity awareness training. Some employers offer a “refresher” the following year, reminding them of all they’ve forgotten. However, this approach is flawed and inevitably sets the programme up for failure.
Mimecast’s 2018 State of Email Security report indicated that only 11 percent of organisations continuously train employees on how to spot cyber-attacks while 24 percent admit to monthly training, and 52 percent perform training only quarterly or once a year. This isn’t good enough.
Research suggests that people forget a lot in a year. Bahrick et al found forgetting rates of 19 percent to 36 percent one year after instruction. We also know that experiences perceived as having greater importance and relevance are more likely to be remembered — and that’s especially an issue in cybersecurity awareness training, which often fails to give employees sufficient reasons not to forget.
So what advice can I give you for cybersecurity awareness training?
Persistent cybersecurity awareness training helps you build enterprise security.
Your training programme will achieve better results if you’re persistent. Don’t try to get all your training out of the way in a single onboarding class or annual refresher session that demands hours of focused attention. Instead, have regular engagements.
Teach in short bursts of no more than a few minutes.
Stay within the attention spans of actual employees in the real world, while still covering all they need to know over time.
Tightly focus each short burst of learning on a big idea in corporate cybersecurity.
That helps learners integrate your message into long-term memory. Then, immediately reinforce what you’re teaching with an engaging, interactive activity and instant feedback.
Space out your learning sessions — but not too much.
According to one careful research study (Bahrick, Phelps, Roedinger), optimal recall occurred when retraining occurred at 30-day intervals. And don’t stop after one or two training sessions: make sure they’re regular.
This approach is usually called microlearning. We know it is what employees want. But does it change employees’ security behaviour? Yes.
Not all microlearning are equal
Of course, short microlearning modules can be boring, irrelevant, and forgettable, too. So, it’s important to make training funny and appealing and tell stories. Humans love stories.
This helps build a holistic understanding of corporate cybersecurity in real-world context. It’s designed to help people truly internalise how and why people make dumb mistakes, what happens when they do, and how to avoid it.
It’s time to do away with the boring presentations that no one cares about. If you offer content with relatable characters and situations, your employees will learn how to help build a stronger corporate cybersecurity culture.