“Mandatory training” sends shudders through the best of us. But security awareness must be part of the cyber defence strategy in any organisation. What’s going wrong with current approaches?
We asked users what they hated about security awareness training, to come up with a set of “do nots”:
1. DON’T rely on lengthy annual mandatory training sessions.
“You just read stuff and press next, next, next, next…”
2. DON’T use negative incentives, individual rankings or think that a certificate is a worthy reward.
“I have been to training where they provide you with a certificate and I don’t usually pick it up.“
3. DON’T frame it as ‘mandatory security awareness training’. This instantly sets expectations and puts up barriers.
“People associate mandatory training with the organisation / department covering its own back”
4. DON’T use overly passive delivery models – for example reams of text, but avoid childish or patronising content too.
“I know they’re trying to make it fun, but we’re grown-ups”
5. DON’T let the content get tired.
“If the organisation can’t be bothered to update our annual training then it can hardly be that important to them”
6. And finally the jury is out on mobile. We saw a bias away from mobile delivery and a firm dislike of any expectation that people will do training in their own time.
“If the organisation value it, they should make time for it”
What does good security awareness training look like? We asked the same groups to share what they liked, what worked, to define a set of “do dos”:
1. Stimulate the decision to learn – e.g. delivering well timed thought-provoking messages people access when they are prompted, but ready.
“It is good to stimulate your (own) thinking and start the learning process”
2. Make it personal – relevance to the user’s personal life, and protection of their personal assets, gains more interest than guidance that purely addresses the needs of corporate governance.
“They talk about what’s going to happen to the company but if they relate it to you personally that would make me learn about it”
3. Moderate the length and be clear on key messages – people won’t engage properly if training is over-long or lacks a clear set of takeaway messages.
“People only take away three key points from training”
4. Expand on training over time and keep it fresh – people won’t take everything in in one session, repeated exposure to key messages is required to make them stick.
“Learning little by little when it’s relevant is much more likely to stick”
5. Make the learning feel necessary, applicable, and manageable – training that really relates to people, their role within an organisation, and that is actionable.
“When it’s relevant and you can actually see where it lies in your personal life, or indeed in the workplace, you get a lot more out of it. It’s then you can actually see the relevance”
6. Offer “risk based” guidance – targeted at people according to their role or activities at a specific point in time (e.g. when they plug in a removable drive, click a link, enter credentials into a browser etc).
[Targeting a] “more specific personal need, is something I would prefer because I don’t really know what I know at this point about cyber security”
Summarising the “Do nots” and the “Do dos”, our challenge is to deliver users the right content, the right way, at the right time.
ThinkCyber
ThinkCyber offer a NCSC certified drip-fed course – Redflags Security Stories 1.0 – as part of a wider Real-time security awareness toolkit. Stories provide drip-fed, short, engaging and actionable content across the year. Avoid the “do nots” and embrace the “do dos” of security awareness today with Redflags™.
