I love using analogies when explaining things to people. If we compare learning some common activity that we all understand, like training people to drive, with the process of training employees to work securely, I think there are some important contrasting points for managers to understand. Do the following comparisons make sense to you?
It takes more explanation, more time, and more practice to be able to manage security risks effectively. A single, one-time training session is never enough for people to remember important concepts, to change people’s mindset and to develop consistent behaviors. So, addressing these key differences in training requirements is important for all businesses, large or small, in virtually every industry.
Tailored Terminology keeps employees engaged
I find that many of my clients are adopting approaches to security awareness training that tend to provide more tailored terminology for elements of their daily job activities, policies and risks. Using tailored terminology is critical to keeping employees engaged in the training process. If too much generic language and guidance is used, people will not be able to relate the risks or recommended actions to their jobs, and the training will not be effective.
For example, the rear-view mirror in a car is always called the rear-view mirror. But in the world of security, we tend to like to generalize things like “safeguards” or “controls” as things we use to reduce risk or improve security. These terms are so generic that most people have no idea how the terms relate to their jobs. Even when we try to get more specific, it can be confusing. Something like a “firewall” that protects your network could be called a “router” or a “gateway“; or a “password” system could be called an “authentication system” or an “identity management system“. These kinds of terminology slips during training are not helpful to the average employee in understanding the risks or recommended actions for just doing their jobs.
To provide an ongoing reinforcement of instructional content, some organizations regularly provide tips and stories to their staff. They can do this using email newsletters, bulletins or updates in blog posts or security awareness headlines in Intranet website portals. Posting a data breach story from your industry on the security news page on a regular basis can be effective, especially if the stories are written at a level of explanation that people can consume easily. Terminology testing games, like the Security Jeopardy game can also be very effective for promoting engagement and understanding.
Feedback and reinforcement of guidance leverage “teachable moments”
To provide opportunities for on-the-job feedback, I have started using a very powerful method called automated phishing assessments. In these assessments, simulated phishing emails are sent to employees to see if they recognize the risks of spear-phishing attacks. When employees get “caught” taking risky actions, this can help people realize that they need to slow down and pay more attention to the risks.
The amazing benefit of using these tools is that you can create the ultimate teachable moment for employees when they click on a link or attachment in a simulated phishing email. When a person absent-mindedly clicks on something without thinking about the consequences, they can be brought to a landing page that wakes them up with a big warning sign and reminder that they should have been more careful, and how they should have recognized and responded to the message.
People tend to remember the shock of being caught off-guard. The important thing for managers to consider, though, is that you have to be careful not to shame or embarrass people publicly. But the right kind of feedback, at the right time, is very effective.
It’s also important to provide opportunities for feedback from employees to management, so the effectiveness of the training can be directly monitored. To do this in the online programs I create for businesses, I use a Frequently Asked Questions feature on every page, which lets people ask a question, or look for more information based on questions that other employees have asked about that page. This feedback can allow the IT Security team or managers to identify areas of security that may not be described clearly in the program, or that people are struggling with.
Using scenarios to illustrate risky situations and recommended actions can reduce mental overload
To counter the problem of complexity, where we don’t have a single brake pedal to slow down and avoid risky situations, I like to use scenario-based learning techniques to help employees visualize relevant situations to their jobs. Then, they can be shown the appropriate actions they should take in each type of risky situation to reduce the risk. It’s important to use these scenarios to illustrate the “worst case” scenarios that need to be avoided, even if it takes a little longer. This helps people realize the value and importance of using security safeguards that often seem like barriers to productivity, but which reduce the larger risks to the organization in the longer term.
Putting it all together
Using a scenario for every type of risk can be time-consuming, and trying to teach employees about all the scenarios at once will still tend to overload their memories. But combining scenario-based learning with a recurring pattern of stories and tips (written in easily consumable style), as well as effective feedback mechanisms will tend to keep people more engaged, and allow them to learn to work securely over the long-term.