Why More Isn’t Always Better When It Comes to Security Awareness Training Content
There is an old saying that “more is more.” This phrase is very applicable when you’re talking about chocolate and hours dedicated to Netflix binges. Not so much when you are talking about selecting content for a consistent, cohesive security awareness and training program.
Just as there is a science to learning, there’s a science to effective reinforcement. Consistency is key — though that doesn’t mean repeating things word for word, over and over again. Here are a few additional Learning Science Principles we apply in creating our cybersecurity awareness training content:
- Offer conceptual and procedural knowledge (i.e., mix “big picture” training with problem-solving techniques).
- Serve small bites of training rather than combining 15 topics into a two-hour session.
- Train in context to show employees how the education applies to them.
- Use storytelling techniques to keep users more engaged.
- Vary your message slightly to allow employees to experience the same concept in different contexts and forge new connections.
- Keep users involved by using education that allows for hands-on practice and decision-making, rather than resorting to presentations and videos that don’t support interactivity.
It’s important to be thoughtful about content delivery, and the surest way to do that is to choose a partner that is thoughtful about content creation. We know that some of our competitors offer hundreds of awareness and training options to choose from, in a variety of styles and flavors. Respectfully, we don’t feel that is an effective approach, and here are a few reasons why:
- When there is a vastly different “look and feel” to the pieces of content used, employees lose a sense of continuity. Materials need to strike the right balance between variety and consistency.
- Only so much time can be dedicated to cybersecurity education in any organization. While we advocate for regular, ongoing training, our goal is to allow organizations to create seamless programs that are minimally disruptive to the normal flow of business. You don’t want to overload your users and make training feel like a nuisance or a chore.
- Administrators don’t have time to wade through an exceedingly vast portfolio of materials to find the content that is appropriate for their organization. With Wombat, you can be confident that all pieces of our portfolio have been designed to work together, which help organizations develop consistent, effective programs that generate early and ongoing improvements.
- To be frank, certain training modules should be repeated over time. Key topics — like phishing and ransomware prevention, compliance requirements, and data protection techniques — should be revisited every year and touched on regularly year-round.
Don’t put yourself — or your users — in a position of being either overwhelmed or underwhelmed by your security awareness training program. To ensure success, take a continuous approach that includes reinforcement activities. And be selective about “more is more” promises from your potential partners (unless you’re looking for more customer support, more multinational support, and more opportunities to engage with your peers).