How to make a difference to your security awareness program in 2020
A belated Happy New Year to everyone! I apologise for being late in welcoming everyone to 2020. Here’s hoping that your new year is filled with health, success, and entertainingly refreshed annually-recurring security training products. Why that, of all possible wishes? Because the chore of taking the exact same training module year after year can be exhausting, demoralizing, and counterproductive to meaningful behaviour change. Let’s face it: there are very few lectures where – after you’ve completed them – you’d ever want to take again.
Speaking solely from personal experience, I only ever got value out of the military’s computer-based training library the first time I took a course; on the second (and ever subsequent) viewings, I could next-click my way through and still pass the end-of-course exam from memory. After all, neither the content nor the questions had changed. What was there to learn?
Please don’t do that to your users. I strongly advocate for breaking down your flagship course at the end of the year. Discard everything that’s no longer relevant, everything that failed to produce the desired behaviour change, and everything that users took exception to. Only then consider adding new content. I recommend starting with the smallest product possible and only expand it when and where necessary.
That’s a stylistic choice; not all organisations have the time, staff, and/or budget to re-build their core training products every year. Heck, there are still thousands of small and medium businesses out there that don’t even have a security awareness function, let alone a dedicated security awareness employee. Even those organisations that have a full-time staff may find themselves pressed for time given the role’s insatiable demand for new content.
That being said, the need to regularly refresh your training material cannot be overstated. Fatigue is one of the greatest challenges that security awareness teams have to contend with. As cybersecurity personality Ray [REDACTED] said it on the 17th October episode of Cyberwire’s Hacking Humans podcast:
“…in cybersecurity, we have something called alert fatigue, we have something called outrage fatigue, and we have something called breach fatigue – right? – which is when you see a big announcement about DoorDash and, you know, millions and millions of people’s information being leaked or even Words With Friends – right? – we’re so numb to these massive breaches that it feels like they’re almost inevitable, right? And to a certain degree, when humans feel like something is basically inevitable, there’s a tendency to just assume that it’s going to happen at all times and that there’s nothing that can be done to mitigate the impact of it.”
I’d like to add one more category to Ray’s list: lecture fatigue. Note that I didn’t say training fatigue; most people aren’t really opposed to learning something new, especially when the content they’re learning might give them a meaningful advantage in life. People are curious. YouTube probably wouldn’t even exist today if people weren’t. No, what I mean is that most people strongly dislike being lectured to. Having an authority figure deliver a one-way admonishment about how Things Must Be Done is grating.
There are multiple effective ways to minimize lecture fatigue. Employing a conversational style when delivering your content can make it more approachable and collegial. This helps to humanize your experts and make your department more approachable.
Employing humour to make a point can help retention and virality. People enjoy sharing a good punchline. Just be careful … your office culture dictates if humour is allowed. Even when it is, humour is highly subjective and sometimes doesn’t cross language barriers.
Another excellent tactic is to employ brevity. Splitting your training into “bite-sized” morsels can reduce the perceived impact of training … at first. It’s illusory. Sixty minutes of training broken up into twelve 5-minute modules is still sixty minutes of training. People will catch on after the second or third module assignment.
I’m a huge fan of delivering live training in lieu of pre-recorded training. I’ve found that nearly anything interactive, where the audience can participate, will be more warmly received than the flashiest CBT module. Live training imposes much higher demand on your trainers, though, which might interfere with other duties.
Note that while all these tactics are all great at minimizing lecture fatigue, they’re not a cure-all. The thing is, these techniques are undermined when your core content itself is repeated verbatim. Once a person has experienced your five-minute-long, instructor led, humorous, conversational training module, it’s lost its power to further entice and inform. People have heard your jokes! They’re not nearly as funny the second time around.
That’s why I advocate for comprehensive annual change whenever development time and resources will allow it. If you can’t remove a mandatory training module, at least redesign the on-screen content and record all-new voiceover for it so that it seems new. It isn’t really, but little changes can still make a difference. Users can see (and hear) that you’re trying to keep things fresh. That, in turn, improves both comprehension and knowledge retention.
Strive to reinvigorate your security awareness program in 2020 by rebuilding your annual training module(s) … if you can. I understand if you can’t. If you can’t, try offering a few live instructor-led versions of the class(es) just to liven things up. Show your users how much you care. They’ll reward you with more secure behaviour over the rest of the year.
NB. The views, thoughts, and opinions expressed in this column belong solely to the author and do not necessarily reflect those of the author’s employer.