Security Awareness Training Evolution: Focus on Great Content
As we come back to the Security Awareness Training Evolution series after our two-week hiatus, let’s revisit some of the key issues described in the introduction. We made the case that for liability, compliance, and even security reasons you can’t really decide not to train your users about security. Of course you could, but it would be counterproductive – you need to be realistic, and accept that you cannot reach every employee and employees do stupid things. But you can reach some, if not most, and reaching those folks will minimize the number of issues you have to clean up. Of course balancing how much to time and effort to spend on security awareness training is a company-specific decision which depends on the sophistication of your employee base, the kinds of adversaries you face, and your organizational culture. Regardless of how much time and effort you spend and which techniques you use, if your security awareness training content is poor it will be wasted effort. This post will tackle the issues around developing (or buying) great content – as they say, “Content is king!” Let’s start by defining great content. Here is a list of some key requirements: Behavioral modification: The training content needs to work. You should be managing to outcomes, and your desired outcome for training is that employees learn what not to do (and subsequently don’t do it), so if behavior doesn’t change for a reasonable percentage of employees, the content is ineffective. Current: Security is a dynamic environment, so the training materials need to be kept up to date. Yes, you still need to tell the employees about vintage 2009 attacks because you will still see those. But you also need to train them to defend against the latest and greatest attacks, because those are what they are most likely to see. Comprehensive: Captain Cliche reminds you that security is only as strong as the weakest link. Employees need to be prepared for most everything that will be thrown at them. It is neither realistic nor feasible to turn normal employees into security professionals, but they can understand the major attack vectors and develop a ‘Spider-Sense’ so they are aware of attacks as they happen. They won’t be able to defend against attacks you don’t train them on. Compelling: Most employees don’t really know what’s at stake, so they don’t take the training seriously. We are not fans of trying to scare employees or playing Chicken Little, but they need to understand the consequences of data breaches. It’s really just a matter of integrating a few stories and anecdotes into the training materials to make the attacks a bit more real, humanizing attacks and taking them from theory to reality. Fun: Boring content is boring. If employees don’t enjoy the training materials they will shut down and do just enough to pass whatever meaningless test you put them through. They will forget what they learned as soon as they leave the room. As corny as it may seem, no fun usually means no (or little) learning. Most folks have short attention spans. Optimize your content in small chunks, typically 3-5 minutes for some kind of lecture, or an exercise that can be completed in that kind of timeframe. The gluttons for punishment in your employee base may want to blast through 5-10 chunks at a time, but give folks the option to get through a lesson during a quick break. That way they don’t have to totally disrupt the flow of their day to get training. Weigh the effectiveness of video compared to a presentation deck with a talking head. Stories are more effectively told through video, and your training materials need to tell a story about the importance of security and how to defend against attacks. Gamification Two of the key requirements for better content are compelling and fun, so the shiny new concept of ‘gamification’ should come into play. Maybe it’s not actually new – many of your younger employees were probably taught to type by Mavis Beacon. Now academia is catching on, and a number of studies show that adding competition and gaming concepts to learning dramatically increases retention and value. One organization we have worked with pits its business units against each other for the fewest infections per quarter. The BU with the lowest number each quarter gets possession of a $100 trophy, and the company takes the contest very seriously. It turns out business leaders want to win, whatever the game is. To be clear, this isn’t really an educational ‘game,’ but it is competition to get the right outcome for the organization, thus minimizing infections. And nothing gets everyone on board faster than senior management making it clear they want to win. In terms of structuring content within the context of a game, here are a couple ideas to ponder: Levels: Humans love to achieve things and to feel that sense of accomplishment. If your training involves multiple levels of content within the materials, and employees need to qualify to proceed to the more advanced lessons, they will be pushed to advance their skills to attain the next level. Points: Depending on the nature of the training you can award points for better or faster results/performance. Again, human nature is to collect an increasing amount of things for that sense of accomplishment. Scoreboard: If you will award points for proper outcomes, you might as well highlight the best performers to recognize employees doing exceptionally well, and to drive others to compete. Penalties: No one likes to lose what they have gained, so you could take points away from an employee if they don’t complete the next level (or at least go through the next lesson) within a certain amount of time. Knowledge erodes over time, so you want to have the employees complete the materials as quickly as possible and then reinforce the material soon after. And that’s just the tip of the iceberg. You could design (or license)
