Think back to all of the corporate training you’ve sat through during your career. Chances are (especially if you’ve worked at a large enterprise), that some of that training had little relevance to your job duties. How much knowledge from those courses did you retain? Although you technically completed the training, would you have been able to apply any of the information you were given in real life?
For many employees, security awareness training falls into this category. It’s something they probably don’t care about, and that doesn’t help them do their jobs. This is why traditional awareness training has failed. Users will do what they have to do to get through the training, check the box, and get back to their regular jobs. Their security awareness training is now a distant memory buried in a pile of other dull corporate training they’ve been forced to endure over the years.
In previous blog posts in this series, we’ve advised you to think like a marketer and sell security to your users; we’ve also stressed the need for immersive training techniques. When done improperly, immersive training limits the effectiveness of a program (like driving a high-performance sports car in heavy traffic). Immersive training needs to be conducted in a way that engages participants and avoids the pitfalls.
With that said, here are ways to make your immersive security awareness engaging and maybe even (dare we say it?) fun for your users.
Start simple: For the average user, security concepts are difficult to grasp, so start simple! Sending a beginner down a black diamond trail is a good way to turn them off of skiing forever (or worse, get them injured). It’s the same with security. Don’t trip up your users by starting them off with complicated concepts – get them on the beginner slope. With customers first using PhishMe, we advise starting with a basic scenario, usually an email with a link promising pictures of cute cats. As simple as it sounds, many people will still click. Any security pro can devise a fake phishing email that users will click on, but since our goal is to improve behavior, start simple and work up to more complicated scenarios.
Be Specific: Hollow platitudes will undoubtedly get your users to tune out (corporate training has never been guilty of this has it?). Avoid vague messages like “keep company resources safe”, instead give users specific, actionable information that will help them change behavior.
Mix it up: How many of you pay attention to the airline safety demonstration prior to takeoff? That demonstration never changes, so consequently most people are checking out SkyMall instead of listening to the demonstration. Don’t make the same mistake with security awareness. Vary both the content and delivery method of your security awareness to continually engage recipients. PhishMe offers training content in video form, HTML templates, and an interactive game to ensure our customers appeal to different learning styles and personality types.
Keep it going: Why is it so easy to forget what you learned in a boring class? After the final exam, you don’t need the information, so there’s no need to retain it. We do know that security is a constant and changing threat; therefore, security awareness needs to be continuously reinforced. Despite this, 54% of industry pros we polled this year at Black Hat said their organizations conducted training only on an annual basis. By continuously training users at different times throughout the year, safe security behavior becomes a habit, and not something forgotten as soon as training is over.
Be Positive: It might be tempting to expose the users who are security risks, but in our experience the negative backlash this generates will quickly undermine your security awareness program. Keep things positive by measuring the results of your program and recognizing people and departments who have done well. Educate and support those that need additional help.
Maybe it’s a stretch to think that security awareness will ever be fun, but if you follow these guidelines, you’ll keep your employees engaged and ultimately improve their security behavior.