Have you ever cooked something that came out tasting not quite right? When you double-checked the recipe and ingredients, you might have realized you had swapped sugar for salt or that the meat had gone bad.
Having the right, fresh ingredients can make or break a meal. The principle is the same for successful cybersecurity awareness training programs, and the depressing truth is failure is often baked right into these programs. Consider how they are usually administered: During onboarding, or soon afterward, employees participate in a lengthy security class, typically involving hours of material. The class might happen in a classroom, led by an instructor with minimal interactivity and engagement and supported by daunting printed documentation; or the class might happen online via drill videos resembling yesterday’s worst PowerPoints and relying on instructional techniques that just don’t work.
Nonetheless, employees must plough through a large number of modules to achieve “compliance.” Compliance is obviously important, but it’s often considered little more than a box to be checked. In reality, compliance needs to be tightly connected to business value, enterprise security, and employees’ personal motivations.
In many organizations, there is little follow-up after an employee’s first exposure to cybersecurity awareness training. At best, employees might get a “refresher” training the following year. This approach almost guarantees the program fails.
Much research suggests that, after attending a training session of some kind, people forget a great deal of the material within a year. One study found average forgetting rates of 19 percent to 36 percent one year after instruction. We also know that experiences perceived as having greater importance and relevance are more likely to be remembered. That’s an issue in cybersecurity awareness training, which often fails to give employees sufficient reason not to forget what they’ve learned.
Cybersecurity Awareness Training Requires Short, Persistent Bursts
Persistence is key to getting better results from cybersecurity awareness training. A one-and-done approach won’t work. Don’t try to get all your training out of the way in a single onboarding class or annual refresher session that demands hours of focused attention.
Instead, teach in short bursts of no more than a few minutes. That way, you stay within the attention spans of actual, busy employees in the real world while still covering all they need to know over time.
Chunk the subject matter you’re teaching into tightly focused short bursts of learning. That helps learners integrate the messages into their long-term memories so they can actually use their new knowledge to strengthen enterprise security. Then, immediately reinforce the teaching with engaging, interactive activities and instant feedback. As learning technology expert Clark Quinn puts it, you should build learning experiences that are “small but complete.”
Provide spacing between learning sessions, but not too much. Optimal recall typically occurs when retraining takes place at 30-day intervals. Don’t stop after one or two training sessions. Be persistent.
Altogether, this approach is usually called microlearning. While the research appears strong, we have to ask: Does it work outside of laboratory conditions? Can it actually change employees’ security behaviors?
Simply put, the answer is yes. Based on our own internal data at Ataata, employees who’ve engaged in short bursts of interactive cybersecurity awareness training are 115 percent more knowledgeable about corporate cybersecurity risk, and 33 percent of those employees say they’ve changed some personal behavior in the past three months in order to be more secure.
The Importance of Stories in Mircolearning
Of course, short microlearning modules can be boring, irrelevant, and forgettable, too. Training doesn’t work just because it is quick and optimally spaced, though these are indispensable features. Effective training also requires fun, appealing stories. Humans are hardwired to love stories, and lessons imparted through the narrative adventures of recurring characters are more likely to stay with employees.
Storytelling is a deliberate strategy for building a holistic understanding of corporate cybersecurity in a real-world context. It can help employees internalize how and why people make simple mistakes, what happens when they do, and how to avoid those mistakes in the future. Stories add the crucial ingredient of relevance, giving employees a reason to remember what they’ve learned.
Wouldn’t it be great if your employees had both the knowledge and the desire to help your security team succeed? Making this a reality is not as difficult as it seems. All it takes is the right approach to cybersecurity awareness training, rooted in the principles of story-based microlearning.
Michael Madon is SVP and GM of Mimecast Security Awareness, which owns Ataata.