Security Awareness Training

    Teaching Good Security Behaviors with Seinfeld

    Security departments can use entertaining content to get employees more engaged in security awareness training.  

    by Dr. Matthew Canham
    GettyImages-1276490536-1200px.jpg

    Key Points

    • Getting employees to engage with security awareness training content is challenging. 
    • Security departments can overcome this by relying on content that employees want to engage with.
    • Moreover, entertaining content results in more effective learning than content that is dreary.    

    A recent survey of security awareness training programs found that users view the content as overwhelmingly tedious. “Get a red-hot poker and open up my eyes, it’s so boring” was one of the more expressive remarks made by respondents.[1] One way to overcome this challenge is by delivering content that does not “feel” like training.

    Security awareness lessons that present training through entertaining dialog motivates employees to engage with training — not just go through the motions of “checking the box” — because the lessons are enjoyable. Brain science demonstrates that a storytelling approach based on situations relatable to everyone, including those from non-technical backgrounds, engages more of the mind’s memory processing centers, drawing employees into lessons without them being overly aware that they are “doing training.”

    To dig deeper, Mimecast recently commissioned a white paper on the subject, titled “Teaching Good Security Behaviors with Seinfeld,” with key findings summarized in this article. 

    Seinfeld’s Solution

    It is no coincidence that elements like dialog and situation are also crucial to the formula for successful television situation comedies. Consider Seinfeld. The “stickiness” of the show derives from each episode beginning with an everyday situation that is relatable to most people and that ties together that episode’s narrative. This approach to storytelling combined with character-building across episodes draws audience members into the storylines because they become invested in the characters and begin to anticipate their actions. From a cognitive perspective, as described further below, Seinfeld is successful because it achieves all of the following:

    • Involves distributed learning through weekly episodes.
    • Engages multiple memory systems through narrative.
    • Induces memory elaboration through character development. 
    • Is enjoyable because it’s funny! 

    Similarly, Mimecast’s approach to security awareness training draws on the same cognitive principles that have brought success to Seinfeld and all the world’s favorite sitcoms. Mimecast awareness training teaches its lessons over a series of short episodes that engage distributed learning. It uses relatable narratives that recruit multiple memory systems for better encoding and recall of material. It relies on a continuous set of characters to encourage memory elaboration — one character who is full of bad advice, named “Human Error,” and his counterpart, “Sound Judgment.” And the sketches are funny.

    This is a more effective way to deliver training, based on scientific research that shows how humor improves student understanding of material and makes learning more productive when delivered through video instruction.[2] 

    Recruiting More of the Brain for Better Learning 

    The brain processes different types of information through three distinct memory systems: procedural, semantic and episodic. Learning through storytelling narratives is a powerful instructional technique recruiting all three memory systems. More specifically:

    • Procedural memory is memory about how to do something. Learning to avoid phishing attacks by responding to simulated phishing trains our procedural memory to make us more secure.
    • Semantic memory is memory for facts, figures and rules. Learning company email policies about how to deal with email attachments from unknown senders is an example of semantic memory engagement.
    • Episodic memory is the type of memory that is recruited through narrative stories. When we engage with a story, we simulate those events in our own mind and create episodic memories for them as if they were our own experiences. An episodic memory relating to security might come from a friend who tells us a story about opening a malicious email attachment that deployed ransomware on their system. 

    Memory Elaboration: Julie Baker Versus ‘Julie Is a Baker’

    “Memory elaboration effect” refers to the phenomenon in which information that activates more memories related to other memories will be more deeply encoded and easily recalled than information that is less related. For example, recalling that Julie is a baker activates memories associated with baking (such as baking shows, recipes, pastries, etc.), making her name easier to recall than trying to remember the surname Baker, which does not carry the same elaborations. 

    Hacking the Learning Curve Through Distributed Learning

    One of the most well-established research findings in educational psychology is the “distributed learning effect,” in which the most effective way to learn a skill or topic is through repeated exposure or interaction over a given period. The sitcom approach to learning, by relying on an ongoing set of cast members with whom employees become familiar over time, maximizes the distributed learning effect through repeated lessons using slightly different scenarios. 

    Learning Because It’s Fun

    Training that’s amusing and doesn’t feel like work engages autotelic learning (learning that is enjoyable for its own sake). Autotelic experiences can lead to psychological “flow states,” which occur when someone becomes engrossed in an activity such as reading a book, playing a video game or working on a project.[3] Research on the relationship between flow states and memory has shown benefits to memory encoding and recall.[4]

    Narrative and humor can facilitate flow states in learning by helping the learner become engrossed in the narrative of the story, while humor reduces the potential anxiety the learner might experience about the material by making it approachable and entertaining.[5] Customer feedback for Mimecast training indicates that this approach has been effective in keeping employees engaged with the material. For example:

    • “This was right on point. It kept my attention with the slight humor and the ‘Human Error’ and ‘Sound Judgment’ shirts. It held my attention and had me interested the entire time unlike some other learning modules.”
    • “I enjoy the videos. It’s actually not painful to watch like other training videos and I can relate to them.” 
    • “I have told many that humor via short clips is by far the best way to keep all of the non-IT folks out there engaged in this. Humor will also help them remember why the human error was a bad thing.”

    Does This Training Approach Really Work?

    Mimecast’s 2021 State of Brand Protection Report, an analysis of data derived from the company’s monitoring of its 40,000+ customers, showed that it does. Specifically, employees who were not provided with Mimecast awareness training were 13.6 times more likely to click malicious links than those who did get the training. Feedback from employees who have received the training also provides insights into the value of its approach. Examples include: 

    • “These scenarios are great. There's really nothing to be done to change or do better. The presentations are communicable and timely.”
    • “I think that this is the best training that I have experienced.”
    • “Awareness training is comical and easy to learn! Short and to the point, easy to remember, quick and engaging.”

    The Bottom Line

    Much like Kramer from Seinfeld, the Human Error character can be erratic — reinforcing the point that this is not who the employee should emulate. By contrast, the Sound Judgment character acts more like Jerry Seinfeld, as a sort of voice of reason. The familiarity of Human Error and Sound Judgment shapes employee expectations for the prudent courses of action when faced with potential threats. Using sticky narratives to illustrate these lessons is a more effective approach to security awareness training, inspiring employees to continue thinking about the lessons after the training has finished. You can read more in our white paper, “Teaching Good Security Behaviors with Seinfeld.”


     

    [1]Get a red-hot poker and open up my eyes, it's so boring: Employee perceptions of cybersecurity training,” Computers & Security

    [2]Humor and learning styles: toward a deeper understanding of learning effectiveness in the virtual environment,” Qualitative Research Journal

    [3]Flow: The psychology of optimal experience,” Harper & Row

    [4]When time flies: A comparison of flow states in expert and novice rock climbers,”  Canham, M. & Wiley, J., Cognitive Technology

    [5]The Use of Humor in Stories to Improving Students’ Reading Comprehension,” OSF Preprints

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top