I’ve been conducting some cybersecurity training this week. It’s brought home an important lesson: make security training a game if you want to engage users and make the message stick.
Research by the Technology Affinity Group has shown that cybersecurity training, together with appropriate defensive measures, lowers the risk of an information security breach. So, cybersecurity training is not just a “nice to have” item.
You Can Lead a Horse to Water
As with other kinds of training, cybersecurity training comes in many formats. Some IT Managers feel like they’ve done their job if they expose users to self-paced video training. That’s a good way to get cybersecurity concepts to users. And self-paced training is great for letting users manage their own training time.
But we know that it’s easy to tune out a training video while they continue doing other work. It’s easy for users to not be engaged with the cybersecurity content. So, how do we get users’ attention? How do we get them to engage with content, so they can learn how to practice safe browsing and email habits?
Break Up Your Content
Britt Andreatta has written about the need to give our brains time to absorb information. She recommends setting up activities that break our presentations into 10-minute chunks. For instance, you might take a pause and engage in a discussion about what you’ve just presented.
In my cybersecurity training, I started with a twist on a game show, asking the audience to name an online scam they had experienced or heard about. At another break, I split the audience into groups and asked each group to compose a phishing email directed at an executive in their organization.
And You Can Encourage the Horse to Drink
The create-a-phishing-email exercise was useful and fun for users. We had just reviewed phishing tactics and social engineering concepts, so they were fresh in everyone’s minds. The groups thought it was fun to see if they could create email content that would encourage someone to follow a link or divulge some sensitive information. As part of the cybersecurity training exercise, we had each group highlight some of the phishing tactics (e.g., domain impersonation) that they used in composing their phishing email.
Consider Adoption in Your Cybersecurity Training Choices
Cybersecurity training content is increasing all the time. It’s no longer true that you must hire someone and/or develop the cybersecurity training content yourself. But where a bit of customized cybersecurity training can be useful is in encouraging adoption. After all, we’re trying to change user behavior when it comes to responding to phishing emails and other attempts to steal information. If we can make the learning process feel more like a fun game and less like a lecture, we’ve taken a big step in ensuring that cybersecurity training will stick.
I’m the VP of Global Services at CGNET. I manage our Cyber Security and Cloud Services businesses. Along the way, I help organizations with their business process. I wear a lot of hats. Professionally, I’m a builder of businesses. Outside of work, I’m a hobby farmer, chef, skier, dog walker, jokester, woodworker, structuralist, husband and father.