Ahhh, autumn. The leaves are changing colors; sweaters are making their annual reappearance. The scent of pumpkin pie spice fills the air (well, at least in the United States. It’s downright ubiquitous here). And once again… it is National Cybersecurity Awareness Month!  This year’s theme is “Do your part: #BeCyberSmart”, which in part specifically encourages organizations to take proactive steps to enhance cybersecurity. In other words, it’s time to step up to the plate with that cybersecurity training.

Training, you say?  Yawn…

Cybersecurity training is more important now than ever. But as with any kind of employee training, there is always the potential for that collective eye-roll.  We all know the feeling: “Oh boy, here we go again. We’re being pulled from our actual work and forced into another boring training session.” Knowing this very human response, wouldn’t we want to use any means possible to make it more fun?

In fact, a new study of 1,000 U.S. employees by Osterman Research revealed just how counterproductive boring cybersecurity training can be. Surveyed employees who found training to be very interesting were 13 times more likely to say that it fundamentally changed how they think about security than those who found the training to be dull. Bottom line:  “The more interesting security awareness training is perceived to be, the more likely that employees will change their behavior…”

So — speaking of that aromatic autumn gourd again — why not spice things up so that what is learned this year actually sticks? I mean, think about it: You’ve really got nothing to lose and everything to gain. Last year, my colleague Dan wrote a couple of posts on how to get your staff engaged in the process of security training by using quizzes and games. I’m going to follow up on those ideas and add some new ones I’ve been reading about.

Gamify your training

“Gamification” is exactly what it sounds like: applying the elements of game playing (e.g. scoring, competition) to other areas of activity, as a technique to encourage engagement. The gamification of training can be looked at in broad terms as the delivery of creative and interactive lesson content. Or you can apply the concept more specifically by incentivizing employees with rewards to encourage the completion of training. To be honest, there is no reason you can’t mesh both approaches to achieve your organization’s goals: Provide a unique interactive training experience that concludes with a prize for the winner/s!

Game time!

I poked around the interwebs over the past couple of days and found quite a few ideas to consider: (Note: As many of these links are no longer viable as of October 2021, an updated selection of games can be found here. )

• Try this Family Feud spinoff created by Living Security.  They crowdsourced 19 cybersecurity-themed questions to provide an immersive learning experience to employees.
• How about a cybersecurity awareness crossword puzzle by the folks at the Center for Development of Security Excellence? Might be a fun tool early in training just to determine the level of security knowledge your employees currently have.
• This Magic 8 Ball Q&A slideshow could also be a good way to either start or reinforce awareness training.
• The CDSE has also put together what looks like a really engaging “I’ll take cyber” Jeopardy-style game that can be played by one person or in teams.
• Quizzes are a useful interactive tool. (And again, even more so if the quiz is treated as a game resulting in some kind of reward.) Cybercrime Magazine put together this 24-question Pop Quiz back in March, specifically focussed on remote work.
• Proprofs.com came up with these 38 online quizzes on cybersecurity.   Look through them, and maybe take them yourself to determine which best suits the needs of your staff.

Feeling motivated?  Then why not invent your own interactive game that can be played either in person or over Zoom or Teams?    After all, the trainees shouldn’t be the only ones allowed to have a bit of fun!  And don’t forget those prizes…

When is it time for a refresher?

We’ve established that making training interactive and fun leads to better retention. But how do we know when even those lessons learned are starting to fade?  You certainly don’t want to wait until there is a successful cyberattack event to find out!  Helpful advice comes from non-profit USENIX, The Advanced Computing Association. They presented the results of their study on the retention of cybersecurity training at the Symposium on Usable Privacy and Security (SOUPS) conference in August. While the study showed that there was “significantly improved performance of correctly identifying phishing emails” immediately and up to four months after training, this was no longer true after six months. Therefore, they recommended that follow-up training take place every six months after the initial sessions.

They also discovered that reminder measures based on interactive examples performed the best, lasting at least another six months.  This simply reinforces the idea that approaching training from a human perspective, using games, quizzes and other interactive training methods, is definitely the way to go to get those lessons to stick!