It's depressing but true: failure is baked right into the DNA of most cybersecurity awareness training.
How Cybersecurity Awareness Training is Taught Today
Consider how cybersecurity awareness training is usually administered. During onboarding or soon afterwards, employees must participate in a lengthy security class — typically involving hours of material. That might happen in a classroom, delivered by an instructor with minimal interactivity and engagement, and often supported by daunting printed documentation. Or it might happen online, via drill videos resembling yesterday's worst PowerPoints, and relying on instructional techniques that just don't work.
Either way, employees must rapidly go through large numbers of modules, to achieve "compliance." Compliance is obviously important. But it needs to be tightly connected to business value, enterprise security, and employees' personal motivations — and too often, those connections aren't made as well as they should be.
In many organizations, there's little follow-up after an employee's first exposure to cybersecurity awareness training. After that introduction, not much happens. At best, employers might get a "refresher" the following year, reminding them of all they've forgotten. This approach is almost certain to guarantee that your program fails.
As learning expert Will Thalheimer has shown, forgetfulness varies depending on the content topic and the individual study. However, research suggests that people forget a great deal in a year.
For example, Bahrick et al found forgetting rates of 19% to 36% one year after instruction1. We also know that experiences perceived as having greater importance and relevance are more likely to be remembered — and that's especially an issue in cybersecurity awareness training, which often fails to give employees sufficient reasons not to forget.
A Better Way to Teach Cybersecurity Awarness
Short, persistent bursts of cybersecurity awareness training help you build enterprise security.
Your cybersecurity awareness training program will achieve better results if you're persistent. Keep coming back to your employees: don't try to get all your training out of the way in a single onboarding class or annual refresher session that demands hours of focused attention.
Teach in short bursts of no more than a few minutes. That way, you stay within the attention spans of actual employees in the real world, while still covering all they need to know over time.
"Chunk" what you're teaching to tightly focus each short burst of learning on a big idea in corporate cyber security. That helps learners integrate your message into long-term memory, so they can use it to strengthen enterprise security. Then, immediately reinforce what you're teaching with an engaging, interactive activity and instant feedback. In other words, as Clark Quinn puts it, build learning experiences that are "small but complete."
Next, provide spacing between learning sessions — but not too much. According to one careful research study (Bahrick, Phelps, Roedinger), optimal recall occurred when retraining occurred at 30-day intervals2. And don't stop after you train once or twice: be persistent.
This approach is usually called microlearning. We know it's what employees want. But does it work — not in the laboratory, but to change employees' security behavior? Yes.
We've found that employees who've engaged in Mimecast Awareness Training are 115% more knowledgeable about corporate cybersecurity risk than peers who haven't engaged and 33% more likely to say they've changed a personal behavior in the past three months to become more secure.
For security awareness programs, not all microlearning is equal
Of course, short microlearning modules can be boring, irrelevant, and forgettable, too. But there’s a better way. They can also be funny and appealing and tell stories. Humans are hardwired to love stories.
It’s a deliberate strategy for building a holistic understanding of corporate cybersecurity in real-world context. It's designed to help people truly internalize how and why people make dumb mistakes, what happens when they do, and how to avoid it.
By watching people — not bullet points — your employees learn how to help build a stronger corporate cybersecurity culture. Wouldn't it be great if your employees had both the knowledge and the desire to help your security team succeed? It can happen.
1Bahrick, H. P., Bahrick, L. E., Bahrick, A. S., & Bahrick, P. E. (1993). Maintenance of foreign language vocabulary and the spacing effect. Psychological Science, 4, 316-321.