“We need a different way to measure human risk. Not a standardized questionnaire or a phishing simulation, but independent and interactive assessment scenarios for multiple threat areas, each revealing different levels of knowledge and behavior.” Sigurdsson prefers to start with a human risk assessment that is then used to establish a training plan with relevant topics.
Incorporating rewards and gamification helps with motivation and a bit of healthy competition. It is also best to provide employees with scores and information regarding their right and wrong answers, instead of just ‘Fail’. “And offering rewards for the highest score and create a leaderboard within locations or departments,” Sigurdsson adds.
He thinks there’s also a need to ‘market’ the cybersecurity training program internally to help with buy-in. “Badly advertised security programs seldom gain flight. There needs to be an approachable person behind the initiative; department heads and middle management need to be fully onboard and supportive to gain some traction,” he says. Good results should be commended and given a shout out, while poor results must be remedied through training without blame or shame. “And the security program can’t be a directive from the top, instead presented as the mutual responsibility of all, from the CEO to the janitor,” he says.
4. Gamification and learning through practice
Gamification works particularly well in security, where participants enjoy demonstrating knowledge and skill, according to Corey Hynes, executive chairman and co-founder of Skillable. Security games, such as attack/defend, capture the flag, and red vs. blue, consistently achieve higher participation engagement rates, producing better learning outcomes and skill acquisition. When done individually, leaderboards are a great tool to motivate learning, according to Hynes.
“Gamification does not need to be complicated to be effective when incorporated into a training program. Elaborate scorecards or complex automation and scoring may be unnecessary. However, putting people in peer groups supervised by an instructor or facilitator who can manage interactions and promote healthy competition can be incredibly effective,” Hynes says. He believes too many programs rely on ‘learning by viewing’ and don’t place enough value on ‘learning by doing’.
And in the future, as attacks become more sophisticated and frequent, often aided by the advancements in generative AI, Hynes believes organizations must prepare people to respond quickly and correctly the first time. “You will need more than reading or watching videos to prepare for that reality.”
5. Banish the one-size-fits-all approach
It’s vital to personalize lessons to meet the learner where they are, according to Shaun McAlmont, CEO of NINJIO cybersecurity awareness training. “To do so, companies need a training program that allows them to tailor lessons to individual or team needs, addressing the realities of their roles or personal vulnerabilities,” McAlmont tells CSO.
He sees several common features of many cybersecurity awareness programs that are misguided because they check a box for compliance purposes, but don’t consider how people learn and how to get them to change their behavior. “People won’t learn and change behavior if they tune out from the start, so we need to present the information with a mind to three things: timing, relevance, and personalization.”
As cybersecurity is a complex topic with a lot of technical detail, giving someone a lecture once a year does not lead to safer organization because people won’t retain the information well and they won’t change what they’re doing. Instead, regular monthly training is likely to keep the need for cybersecurity awareness top of mind,” McAlmont says.
Repeated academic studies have found the optimal lecture length to be 15 minutes, McAlmont says, so why try to convey super-important information in long form workforce training? “Instead, break up the training into shorter, digestible pieces and spread them out across that regular monthly cadence. Doing so avoids learner burnout and reduces the likelihood they’ll forget everything by lunch.”
To keep training relevant, learners need to be shown how a technical topic like cybersecurity fits into their lives. “That means building a relatable story that would make someone think: ‘this could really happen to me’, or they need to be able to connect the topics in the training to real-life events,” McAlmont says.
When someone makes a mistake, either by falling for a simulated phishing message from the IT department or a real attack, too many programs rely on punitive approaches, like enrolling that person in ‘remedial training’ or giving them a negative score. “Instead, stay positive and non-judgmental. People are more likely to engage with and contribute positively to cybersecurity awareness training if it does not carry a negative connotation or invoke feelings of fear,” he says.
The methodology is built around how people learn to change their behavior, which is a far better goal than checking the box for a compliance program. “Using animation-style, story-driven episodic content has proven to be some of the most engaging produced by the industry. And combining that entertaining approach with personalized delivery is completely new,” McAlmont says.
6. Cyber education needs to be a TREAT
We underestimate the power of storytelling when it comes to education and this means instead of using hypothetical scenarios in training modules, it’s more effective to share real-world breaches, scams, or phishing. “Learning from actual cyber war stories can teach many lessons from just one actual cyber incident,” SEI Sphere director of cybersecurity Mike Lefebvre tells CSO.
“Employees need to care about cybersecurity training for behavior to change. If cyber training is positioned as a life skill that can help protect employees at work and at home, it’s possible to improve training engagement,” he says.
And it needs to be timely, relevant, engaging, accessible, and terse, that is, TREAT. “So instead of using a complex, formal training module, we could introduce micro-lessons in near real time to end-users as they’re clicking a bad link or downloading that bad email attachment,” he says. “Until cybersecurity becomes as seamless as a seatbelt or airbag, we have a lot of work to do.”
And with AI, it’s not clear yet what exactly this means for cyber education and training, but its huge uptake may rewrite some of the rules about learning. Instead of the ‘garbage in, garbage out’ maxim that’s defined computer science to date, it may be more a case of ‘garbage in, recycled information out’. “AI breakthroughs suggest that it’s possible to make some intelligence out of seemingly bad data,” he says.
In the future, Lefebvre thinks education and training programs will need to be significantly reinvented to capture a generation that’s about to grow up with AI. “AI has the potential to fundamentally reframe how we as humans process and retrieve information,” he says.
7. Give employees real-time feedback with risky and non-risky actions
Traditional training of watching computer-based videos is not working, according to Kevin Paige, CISO and VP of product strategy at Uptycs. “Watching a video on a topic you don’t understand, expecting someone to remember the content and apply it in the real world is not how people learn.”
A better approach is to plug into the systems out there collecting individual security and risk telemetry and use this data to give employees real-time feedback, with risky and non-risky actions individuals have taken daily. “Just like training a dog with positive and negative reinforcements, we can train humans based on real-time actions/information,” Paige says.
Paige believes training should show what happens first hand when an employee clicks on a phishing email, types a password in an internet browser, opens shared files, or downloads a virus from an unsafe website. “When employees don’t download software from unapproved sources they should get positive feedback. If organizations can bundle this feedback and give employees a risk score, it will allow them to assess the overall risk posture of their company.”
8. Make cybersecurity part of the business conversation, but keep it relevant
Cybersecurity awareness and training can’t just be a one-off event. Instead, it needs to be a regular, ongoing conversation about threats and the changing nature of the risk landscape.
To help keep potential risks at the forefront of people’s minds, Rapid7 has developed their own weekly organization-wide security bulletin, covering both internal and external risks and threats. Like a weekly risk report, there’s a version for senior leadership and another that goes to the rest of the organization. The aim is to cover the serious subject matter but in a way that’s short and punchy.
“It’s a maximum of five items because I’m not trying to overload anyone. I’m just trying to level everyone up to start thinking more and more specifically about cybersecurity issues that would impact our organization,” Rapid7 CSO Jaya Baloo tells CSO.
“The leadership one features five internal items that we believe are genuine risks to the business, and they’re given to senior vice presidents and execs, as either action required or for information only,” she says. “And the five external items are the things that are happening in the rest of the world, whether it’s geopolitical events, competitors or regional things, that we can learn from, and that goes to the entire company.”
Baloo also believes in Google’s blameless post-mortem philosophy, an approach followed by the company. “We’re not trying to get anyone dinged on this, we just want it fixed.”
