Scrap Learning: Why All Security Awareness Training is Not Equally Effective

While end-user training for secure behaviors has experienced an uptick in interest and legitimacy versus technical-only solutions among CISOs in recent years, not all security awareness training is created equal.

Most security awareness training programs have shifted from long CBTs or slide presentations to short, focused topics, which are much more effective. However, cybersecurity training and user assessments are primarily delivered on an annual basis, which is problematic for end-user retention. The reality is, that most organizations believe “we’re doing our best” when it comes to training. This time gap between delivery and application erodes the value of the organization’s investment.

What is 'Scrap Learning'?

A recent report published in May by the Aberdeen Group — Use It, Or Lose It: Quantifying the Risk of “Scrap Learning” — illustrates the business impact of training that isn’t applied on the job in a timely manner. Scrap learning refers to “training that has been delivered to employees, but not put into practice on the job in a timely way.” Timely is defined in this case as within six weeks after training delivery. Research-based estimates of how likely it is for training delivery to result in scrap learning are significant:

• As high as 80% (Source: Brinkerhoff Evaluation Institute)
• An average of 45% (Source: CEB Metrics that Matter)

Quantifying the Risk of Scrap Learning

Aberdeen’s Monte Carlo analysis does an excellent job at quantifying the risk of scrap learning, and helps to substantiate learning and development industry recommendations for minimizing waste and maximizing productivity.

We surveyed 1,000 UK and 1,000 US end users about their cybersecurity habits and knowledge. Find out how their actions could be compromising your business.

Maximizing the Benefits of Security Awareness Training to Minimize Scrap Learning

So how exactly do organizations get the full benefits of their security awareness training programs? We have long been advocates for a continuous education and improvement process that includes a cycle of assessments and training delivered in bite-size chunks over a period of time. This methodology sits in strong contrast to a “one and done” approach.

Research conducted at Carnegie Mellon University helped us develop highly-effective training solutions which utilize Learning Science Principles to engage the learner and change behavior.

• Present concepts and procedures together: Users may need a procedural lesson to understand that an IP address included in a URL could be an indication that they are seeing a phishing URL. However, they also need the conceptual understanding of all the parts of a URL to understand the difference between an IP address and a domain name, otherwise they may mistake something like www4.google.com for a phishing URL.
• Provide bite-sized lessons: People learn better when they can focus on small pieces of information that the mind can digest easily.
• Story-based environment: Don’t just list facts and data, tell a story.
• Provide immediate feedback: We have created “teachable moments” that deliver just-in-time teaching when mistakes are made.
• Learn by doing: Students who engage in hands-on learning are more likely to remember what they’re taught.
• Use a conversational tone: Phrasing the message differently in multiple contexts makes the trainee more likely to relate it to past experiences and forge new connections.

It’s important to remember that there’s more than one way to achieve the right results if you have the proper elements and foundation. Executing your security awareness and training programs in this manner can provide ancillary benefits, creating a culture of security in your organization that will empower your workforce and prompt employees to do the right thing when faced with a questionable situation. And not only employees — but executives, and your board — can benefit from this education, too.