People remain the primary target of attackers, who have refined their trade using deception, obfuscation and manipulation to induce user actions that can jeopardize an organization’s security.
Security awareness training provides the education and awareness people need to identify the tactics attackers use to lure them into unsafe actions and behaviors. But security awareness training can become arduous when users don’t have rich and meaningful experiences. Here are tips to help keep your users interested and engaged.
Brand your program
Organizations should strongly consider branding their security awareness training programs. Naming your security awareness training program properly will help users understand what the organization wants to accomplish and make it more relevant to them. For instance, maybe the organization needs users to treat EU customer data with extreme caution, ensuring the effectiveness of processes and controls for the General Data Protection Regulation (GDPR).
A potential theme could be “Become a Data Privacy Defender.” The title clearly highlights the purpose (data privacy) and the role of the user (an active contributor to the privacy effort). Simply calling it “GDPR training” might not garner the same support. Or maybe your culture calls for a direct approach, with more practical themes. If that is the case, naming training programs around specific topics, such as phishing, social engineering, email, working from home, etc., may be appropriate.
Leverage Learning Science Principles
Learning Science Principles have proven to be effective at changing behavior in adults. They include several concepts and techniques to support the best learning and retention outcomes: Offer conceptual and procedural knowledge; give users the big picture and specific lessons.
- Serve small bites; keep training to minutes versus hours and focus on single topics as often as possible.
- Reinforce lessons; provide feedback and keep training and awareness persistent.
- Train in context; assign training relevant to roles and threats.
- Give immediate feedback; give real time results on training or phishing exercises.
- Let them set the pace; everyone is unique in their speed of learning.
- Tell a story; give real world examples.
- Vary the message; ensure topics have multiple content sets that vary in wording and phrasing.
- Involve your students; interactive content and exercises improve retention.
- Make them think; exercises should test how students can apply their knowledge.
- Measure results; assess students up front and track progress continuously.
Keep Training Interesting with Diverse of Content and Media
Channels and activities define how you deliver your content. The “Rule of 7” says you have to get an ad in front of a user at least 7 times in order for them to engage. Regardless of the security awareness training solution you are using, a best practice is to use multiple channels and activities to communicate your message. Here is a sample list, not exhaustive, but a good example of activities and channels:
Activities |
Channels |
Simulations (phishing, USB, SMS, etc.) |
Security awareness training tools |
Knowledge assessments |
Security awareness training tool or survey tool |
Identification and monitoring of Very Attacked People™ (VAPs) |
Threat intelligence/email gateway |
Computer-based training |
Security awareness training modules via online platform or other learning management system (LMS) |
Awareness campaigns |
Posters, videos, podcasts, webinars, guest speakers, infographics |
In-person awareness and training exercises |
Lunch and learns, booths at company events, speaking slots at company events, in-person training, escape rooms |
Contests/gamification |
Acknowledge training progress via an existing company channel like a newsletter or wiki |
Security awareness information |
Company wiki, intranet, or shared company calendar |
Security awareness updates |
Company newsletter, chat application channel, or integrated into another department’s communications |
User feedback about security awareness training program |
Survey tool or shared mailbox |
User phishing reporting |
In-client email reporting add-in solution or abuse mailbox address |
Departments and individuals that can help
Security, marketing, HR, and executives can play important roles in your security awareness training program.
- Security may be able to make recommendations to improve content to make it relevant to corporate policy (such as password policy). They can identify individuals who are targeted or may need training (such as groups who handle sensitive data).
- Marketing can help design security awareness materials, so they have your organization’s brand elements.
- HR teams can advise on organizational dynamics and provide insight on working with executives and line of business (LOB) leaders.
- The CISO (or other key CxOs or LOB leaders) can communicate support and emphasize the importance of the program.
Guiding users toward the right behavior (Carrot vs. Stick)
Security awareness training needs positive perceptions to avoid user resistance and indifference. The steps outlined above can help create a positive perception and help maximize security awareness program value and acceptance.
Most organizations do not have a “stick” approach to security awareness training. However, in rare circumstances, user resistance may require this approach. In these cases, “stick” type programs are needed to ensure compliance with training polices. While these programs should be a last resort, here are a few examples of how organizations have implemented these consequence-model program:
- A “three strikes” program where users who click on three simulated phishing emails will have a consequence such as discussion with manager or temporary limited network access or loss of access privilege
- Consequences such as HR writeups, monetary/benefit reductions, and in rare cases, termination
We think a best practice is to focus on “carrot” style programs while having consequence models as a last resort. Our customers find that an overreliance on “stick” makes users less likely to engage with a security awareness training program and disengage from it, though if you work in a highly regulated or especially sensitive industry these practices may be necessary.
Conclusion
By following these five principles, your security awareness training program will have the optimal framework to yield measurable benefits for the organization while creating positive and enjoyable user training and activities. These principles have been utilized by Proofpoint security awareness training customers in various industries to reduce risk, cut operating expenses and support privacy compliance.
Follow our blog as we provide free guidance on how to build a successful security awareness training. Watch our panel webinar: Benchmarks & KPIs You Need to Know for Security Awareness Training.