Challenge: How to Foster Security Training Engagement
If you’ve been following along (and we know you have!), you’ve heard us stress the importance of security training for staff as a component of your cybersecurity posture. (If you want to know more, click here.) But conducting a training session is not enough; it has to stick. So, how can you foster security training engagement? How can you get your staff leaning forward and really participating?
We’ve all been through bad training. I recall the time at another company when our HR representative literally stood with her back to the audience, reading the text of a PowerPoint slide. That sort of cringe-worthy experience is not what you want to replicate with your cybersecurity training. Luckily, research by Britt Andreatta and others has shown that breaking the training into short pieces, and engaging the brain in different ways, will help participants learn and retain more information.
Solution: Pop Quiz!
There are lots of ways to foster security training engagement.
We’ve done this in the past with exercises like “build a phishing email” and our security version of Family Feud (“survey SAYS!”) These exercises all help to foster security training engagement. The method we’re going to talk about here is simple. Recently a customer showed us a new approach: online quizzes.
Let me start with the “aha!” moment. My co-presenter for the security training pointed out that using an online quiz (vs. calling on people to answer) had two benefits.
- More people participated, because they were responding anonymously. Some people are just shy.
- Remote meeting participants could join in as easily as those in the meeting room.
How We Incorporated Quizzes into Our Training
Let’s set the stage.
One of our customers noticed that click-through rates on its periodic phishing test were going up. (Did I mention that conducting regular phishing tests is also an important component of your cybersecurity posture?) Maybe this was because the customer had recently added a lot of staff. Maybe people were reverting to old habits. The customer asked CGNET to come in and conduct a security training session.
My co-presenter on the customer side thought we should focus on one or two topics and go in depth. In the past, we had tried to squeeze a lot of topics into the allotted time. Almost without fail, the result was that we couldn’t spend enough time trying to foster security training engagement.
After some discussion, we agreed to focus on phishing. We wanted to spend the bulk of our time looking at example phishing messages and helping people understand the clues to recognize these bogus messages. We used as many examples as we could of phishing messages actually received by the customer. We thought these “real world” examples would help foster security training engagement. Here’s an example message (not one received by the customer).
Our plan was to show each phishing email and ask the audience any of three questions.
- What are the clues that this message is a phishing message?
- Guess what information or assets is the phishing person attempting to obtain?
- What emotion is being targeted in this message?
We wanted to use an online quiz tool to ask these questions and share the response statistics. We thought about using something Forms, since it can be used within PowerPoint. But we chose a tool called Mentimeter for the following reasons.
- My co-presenter had a paid Mentimeter account, so we could access more goodies like multi-part questions.
- Mentimeter works with a web browser and is optimized for mobile. We didn’t want to spend precious training time working with the audience to download and install an app.
- We wanted our remote participants to easily join in the fun.
Quizzes Helped Us Foster Security Training Engagement
Using Mentimeter to foster security training engagement worked well for us. We often had 80% or more of the audience participating. When we went over the quiz results, we generated additional comments and conversation.
Mentimeter is designed to be a presentation vehicle with quizzing options. (It made me think of Prezi). Had we used Mentimeter that way, we wouldn’t have had to shift between Mentimeter in a browser and PowerPoint. However, it was going to be too much work to recreate all the PowerPoint material in Mentimeter. So, we lived with the application-switching.
Here’s an example of how the quizzes worked. These screenshots are from Microsoft Forms, but the user experience is similar to Mentimeter.
This is the question I wished I had asked in a quiz.
And here is an example result.
Had I used a quiz to foster security training engagement, I would have more easily learned that no one—no one—understood my reference to Wicked Tuna (link here if you didn’t either.)
Be sure to look at online quizzes to foster security training engagement. They’re fun and help you reinforce key training messages. They encourage friendly competition and audience dialog. They’ll help your users be better email and web consumers. They’ll reduce your cybersecurity risk.