9 Ways To Make Cybersecurity Awareness Training More Engaging

Posted on by Perry Carpenter

Phishing was responsible for the highest number of cyber compromises in 2021. As a result, more and more businesses are investing in security training and awareness initiatives.

New evidence proves that regular training exercises can positively influence security culture and enable employees to defend against ransomware-laced phishing attempts and related social engineering attacks.

Having said that, nearly all (85%) of employees are disengaged at work. That’s why it is imperative for organizations to design programs that encourage training participation. Below are nine recommendations that can help:

1) Turn Leaders into Advocates

Everyone expects to see leadership ‘walk the talk’ and equally care about keeping their organization secure. That’s why senior management should actively participate in security training to help showcase their support for cybersecurity resilience. Nothing sells a security program better than noticing how leadership teams actively invest in security awareness and live-out security values.

2) Share Real-World Examples

Textbook training can be boring, but security doesn’t have to be. Humans, as a species, easily learn and apply values that are expressed in stories. That’s why it’s important that team members share their stories of successes and failures. Cite examples of incidents that happened in the past, how they missed early warning signs, how they were identified and in hindsight, what could’ve been done differently to prevent the incident from occurring. It’s always a good idea to show that as humans we are prone to biases and mistakes and even the best of us can be fooled by social engineering. Remind employees to not be embarrassed if they miss something and to always report anything suspicious.

3) Involve a Diverse Set of Team Members

Security is everyone’s business. Having a diverse set of trainers from different departments such as R&D, marketing, HR and sales, has many benefits. It makes training more representational whereby the trainer can describe a relatable use case or provide context that a traditional security trainer may have overlooked. It’s very likely that members of your security team are not the most effective communicators. Involve speakers that can communicate to a diverse set of workers in a manner they understand.

4) Include a Variety of Content

Security programs should consist of a variety of content that includes tabletop exercises, videos, quizzes, simulations, Q&As and short presentations. The idea is to break the monotony, encourage interaction and collaboration. For example, every training should use quizzes. Online quiz platforms (such as Kahoot!) help trainers create gamification in quizzes.

5) Make Training Fun and Rewarding

Training doesn’t have to be dull and uninteresting. Emotion is key to engagement. In fact, humor is known to have a positive effect on training. Reward people for their participation and interaction. Offer prizes and freebies. Give out prizes for answering questions correctly, announce a raffle or a giveaway at the end so that people stick around for the full session.

6) Design for Both Remote and Local Teams

Most organizations today have a sizable remote workforce. Ensure remote workers have an opportunity to attend; in fact, remote workers may need more focused training. If feasible, have a dedicated team hosting the remote community, handling any AV emergency and organizing quizzes, prizes and rewards.

7) Invite Key Vendors To Participate

Vendors will often agree to speak or sponsor (door prizes, food, beverages, etc.) a training event. Vendor speakers usually have credible experience spanning a number of industries and often bring along good content. The idea is not to make a sales pitch but to keep the content security-focused and vendor-agnostic.

8) Manage It Professionally

It’s always a good idea to plan for success. This means creating project timelines, designing communication plans and making sure everyone involved knows what their role is. If possible, get help from marketing or business teams that are experienced in running events. Record the event for those that are unable to attend. Ensure your event is right-sized — not too long, not too short, about sixty to ninety minutes is standard. Educate your audience beforehand on how phishing simulation exercises work, how they help the organization, and the frequency at which they can expect them.

9) Take Risks

The goal is to educate, entertain, and (most importantly) engage. You are investing in a long-term relationship with everyone in your organization. No training will run perfectly, and nobody will get it right the first time. That’s why trainers must experiment with different approaches, tools, exercises and content types to understand what works and what doesn’t.

Finally, never lose sight of key metrics. Metrics will help determine the success of a training program and justify its investment. Ensure you track behavioral changes over time (number of phishing incidents, activities being reported, ratings and surveys) and fine-tune your program where necessary. The end goal of security awareness training is not to check-off another compliance box off the list, but to strengthen the security culture and build a more cyber resilient organization over time.

7 Ways to Create a Security Culture at Work

Posted on by Perry Carpenter

The topic of security culture is mysterious and confusing to most leaders. But it doesn’t have to be. Perry Carpenter and Kai Roer, two veteran cybersecurity strategists deliver experience-driven, actionable insights into how to transform your organization’s security culture and reduce human risk at every level. 

The security industry has struggled to define security culture for a long time. Security leaders talk about its value, but they tend to do so without precision — which can be incredibly confusing for business leaders.

Here’s our take on security culture, developed over many years at the intersection of two worlds: academia and “in the trenches” practitioners. Security culture can be broken down into seven components, which we refer to as dimensions. These dimensions are interdependent; each one influences the others.

Dimension 1: Attitudes

The attitudes your employees have toward security is a critical factor. When employees take a negative view, they’re much less likely to abide by the rules and act securely. This means that finding ways to foster positive attitudes toward security can be a great strategy to improve employee behavior and, ultimately, your security culture.

Ask yourself: To what extent do employees care about security? Are they positive, neutral, or negative?

Dimension 2: Behaviors

What employees see other employees do impacts their own behavior. Most people are likely to adopt the behaviors they see modeled by others when they’re in a group. We’re also very likely to do what we’re told by someone in authority, suggesting that leadership should be actively involved in security.

Ask yourself: What are considered acceptable behaviors? What do employees see others doing?

Dimension 3: Cognition

What employees know can influence their behavior. However, just because someone is aware doesn’t mean they care! And even caring doesn’t always translate to behavior. This is what Perry calls the “knowledge-intention-behavior gap.” Training is an important part of any security culture program, but it’s not the end-all.

Instead, consider training as only one of many tools in your toolbox. Support it with strong messaging from your executives and leadership teams, and make sure your employees understand why security is paramount.

Further support your training program through behavior design initiatives and by trying to foster other areas of influence, such as reward and reinforcement systems.

Ask yourself: What do employees know? How do they learn? How do they apply that knowledge?

Dimension 4: Communication

One of the skills of great leaders is their ability to communicate. Often, you’ll hear them repeat the same vision many times over, in many different forms and forums.

Great leaders recognize the importance of setting the agenda and repeating the message so that every employee can understand and relate. Security is no different: If you want it to happen, repeat your values often and find ways to make people talk about them.

Ask yourself: How is security communicated throughout the organization? To what extent is leadership involved? Is security considered a core value?

Dimension 5: Compliance

Organizations need rules to ensure employees know what’s allowed and what’s not. Some organizations are very good at implementing policies and incentives, whereas others are not.

If your security policies and procedures aren’t being followed, it may be because employees are unaware of the policies and procedures, or your policies and procedures are too difficult to follow, or because you need other methods and systems to support compliance.

Ask yourself: How well do employees adhere to policies and procedures?

Dimension 6: Norms

Norms are the informal rules, those policies of the group that aren’t written down and formalized. They’re “just the way things are done around here.” Unfortunately, people are more likely to follow norms than comply with your policies due to perceived peer pressure.

What’s the fix? Seek out any disconnects between your norms and your policies. Find ways to influence your norms to better align with policy. This is accomplished through a combination of communication, social pressures, behavior design, and traditional training methods.

Ask yourself: To what extent are security-related beliefs, behaviors, and values embedded in the norms and unwritten rules of the organization?

Dimension 7: Responsibilities

An organization where every employee actively takes part in the security program is a good organization. Empowering employees to make relevant security decisions during their workday is a valuable strategy.

Likewise, making sure employees understand that even a tiny action can make a huge difference is mission critical. Try to focus on the positive change the employee can make instead of dreaded and ineffective fearmongering.

Ask yourself: To what extent do employees feel empowered? To what extent will they help ensure that other employees follow the rules?