Incredibly, traditional cyber security awareness training may actually decrease security awareness. Here’s how to ensure your security awareness campaigns increase resilience.

Last year, researchers looking into the security of mobile devices inadvertently uncovered something quite striking.

Researchers found that, as the reported frequency of security training increased, staff security awareness decreased. According to their findings, with every additional security awareness training session an organisation held, security awareness among employees dropped.

To many in security, it’s been clear for a long time security awareness training needs to change.  But what should the changes look like?

Here are five suggestions.

1. Fear

Introducing fear to security awareness training remains a controversial issue. On the one hand, fear can cause users to act more cautiously when weighing up potential threats (so long as users are equipped with advice on countering the threats). On the other, some research concludes using fear in security awareness campaigns can backfire should threats never materialise. In truth, though, 43% of businesses surveyed as part of the UK government’s 2018 cyber-breaches survey suffered a breach in the 12 months leading up to the survey. For 43% of businesses at least, threats have already materialised. It seems discussing the consequences of attacks, and framing them contextually for users, could help training sink in – especially when the consequences are discussed as…

2. Stories

Stories are up to 22 times more memorable than facts alone – so it makes sense to include them in security awareness training. Suppose you want to make users stop and think before downloading email attachments. You could simply explain why users should do so. At CybSafe, though, we favour retelling stories such as that of Dridex. Dridex is malicious software (malware) distributed through malicious email attachments and, once it takes hold, it steals its victims’ bank details. Retelling such stories in training helps keep people engaged.

3. Rewards 

Unsurprisingly, rewards influence human behaviour. Academic research shows, for example, that rewarding study increases academic attainment. Research also shows rewarding exercise increases physical activity. Research even shows increasing child support payments (akin to ‘rewarding’ parenthood) increases birth rates. Rewards are almost entirely overlooked in cyber security awareness training – despite the fact they’re commonplace in many other aspects of the workplace. To increase the effectiveness of security awareness campaigns, positive security behaviours should be recognised and rewarded – with a caveat. The effects of rewards should be thought-through and tested. In some areas, research suggests rewarding certain behaviours in certain ways (for example, paying people to donate blood) can reduce the incentivised behaviour. For the most part, rewards work. They just need to be used with caution.

4. Testing 

Tests are a staple of even the most basic cyber security training. But most take place immediately after training sessions, then never again. In 2008, Applied Cognitive Psychology published research on the effects of testing. The study divided research participants into two cohorts: one that received a test on a newly learned subject one week after learning, and one that received a test on the same newly learned subject 16 weeks after learning. Over time, the cohort subject to delayed testing retained more of the learned information than those tested one week after learning. The research suggests testing can be enhanced when tests are delayed and, in our experience, we’ve found tests that take place a little while after training can increase security performance. Today, companies run repeated security training. It’s probable replacing training with tests would increase security awareness.

5. Independent learning

Theories of adult learning suggest adults learn best independently at their own pace, when barriers to training are entirely removed. Yet in today’s security awareness campaigns, independent learning is the exception, not the rule. In our experience, we’ve found removing barriers to learning to be extremely effective (a notion supported by Nobel prize winning psychologist Daniel Kahneman) – which is why our cloud-based platform is accessible on-demand. Tick-box security awareness training might be doing more harm than good. But that doesn’t mean security awareness training as a whole is futile. By running security awareness campaigns grounded in psychology, CISOs can demonstrably improve security awareness, behaviours and culture. In doing so, they’re making their people another layer of defence.