In most organizations, cyber security awareness training is treated as an annual event. At some point during the year, possibly during security awareness month in October, employees are forced to sit through a computer-based training course and check the task off their list.
In reality, these types of cyber security awareness training are basically an online version of a lecture. A variety of content covering different topics is thrown at the participant to allow the company to say they’ve trained their employees. Unfortunately, this “check the box” method is extremely inefficient for making the company more secure. This type of training doesn’t work because:
- It is boring
- It is generic
- It is too much information at one time
- Learning is spaced too far apart
For cyber security awareness training to be effective, it needs to be engaging for the participant. But, how can a company do that?
1. It needs to be interactive
Research strongly supports the notion that lectures aren’t effective ways to educate, even if they are delivered via technology. In order to make learning less boring, you need to make it interactive. Turning participants into active listeners is one way to make the training more interactive. To do this, break up the content and engage the participant by asking questions or having them complete a learning activity. Games work extremely well to keep a learner engaged and it is more likely that they will remember what they are learning. Another strategy that is extremely effective in helping learners retain information is to use simulations to give them hands on experience with the material being covered.
2. Don’t generalize
In cyber security awareness training, it’s common to see things like, “keep our resources safe” or “prevent intrusions.” These mean little to your end-users because most of them don’t realize that they are targets. Most of your coworkers don’t realize that an attacker can compromise their account to begin a lateral movement throughout your organization’s network simply because they weren’t properly prepared.
Don’t assume that IT security concepts are too difficult for your learners to understand. Be specific about what information and resources you are protecting and most importantly — why. Making the concepts you are teaching more personal to the learner increases buy-in and will help increase comprehension.
3. Break it up
One of the biggest misconceptions with training is that it has to be long for it to be effective. The longer courses are the better value. This is possibly because of the misconception that to provide more information or detail, the training must be lengthy.
Studies show that after a person is settled in, they only have 10 to 18 minutes of optimal focus. After that, retention of information decreases and focus shuts down. If your cyber security awareness training is one of those marathon courses that takes a person 40 minutes to an hour to get through, odds are they are tuning out before any of the important material is even introduced. Instead, deliver content in shorter, more focused training sessions. Cover individual topics instead of general security. Not only will your participants retain more, but they will be able to get back to their work more quickly.
4. Train more frequently
As mentioned earlier, the majority of organizations treat cyber security awareness training as an annual event. For the other 11 months out of the year, learning or reinforcement of these critical topics is completely absent.
Breaking training content into smaller, shorter lessons that are more specific allows you to easily spread awareness training throughout the year. Not only does this help keep learners focused on the content, but it also shows everyone in your organization that security is important because it is front and center companywide.
It’s a challenge to get people excited about cyber security awareness training. Even relevant topics are often glanced over in the hustle and bustle of the day-to-day. If you really want to ensure that a majority of your coworkers understand these concepts and processes, you need to make sure that you are doing everything you can to make the lessons engaging for everyone.