The Status Quo in Security Awareness Training

The Status Quo in Security Awareness Training
Security awareness training always helps to protect the company and make the workforce more security-savvy. However, there are different approaches to designing them – some more effective than others.

To strengthen cybersecurity, it is essential for organizations to train their own employees in the secure use of IT, networks, emails, and co. In many companies, however, security awareness trainers primarily conduct classic “old school awareness training”, i.e. frontal instruction over several hours in which countless employees are gathered in a room. In the “lessons” the “students” are then educated and the task of the trainer is to get as much knowledge as possible into the heads of the employees in a short time. Drinks and snacks are provided as a motivational aid.

There has to be a better way here, and in fact, there are quite a few. With security awareness, there are several roads that lead to Rome. Employees should be able to decide for themselves which option is best for their learning behavior – personal responsibility is one of the best motivators. Employees should therefore have a say in when, where, and how they want to take advantage of a training opportunity and are able to do so because of their day-to-day work.

Web-Based Training

Web-based platforms can offer this flexibility and dynamism. For example, they provide a wide variety of content in different languages. Digital training also allows the use of videos and games consisting of a quiz or text-based modules. Employees no longer have to be at a specific location at a specific time, but can decide for themselves when and where the training is to be conducted.

READ:  What is WireGuard?

The security awareness trainers, on the other hand, are given the freedom to choose from several contents. They can then provide these individuals and, depending on the success of the training, coordinate further measures with the individual employees by e-mail.

Small successes, i.e. shorter content with immediate feedback, motivate participants to take further action and continuously improve. According to the book “The Progress Principle: Using Small Wins to Ignite Joy, Engagement, and Creativity at Work,” life satisfaction is 22 percent higher among those who regularly achieve small wins. As a result, employees feel empowered and not forced to do anything.

Laziness, Habit, and The “fun Factor”

Another part of “New School Awareness Training” focuses on capturing and holding participants’ attention during training. The basis for this goes back to the teachings of American social scientist B.J. Fogg.

He holds that there are three truths about human nature: We are lazy, social and creatures of habit. The “New School Security Training” takes these truths into account. This means that instead of boring Power Point presentations, security awareness trainers should offer participants something that is fun, relevant to their work, and takes into account that people get bored very quickly.

The fun factor comes from short, continuous training sessions. Instead of a multi-hour session a few times a year, content should be consumed regularly and, most importantly, reflected upon. A high-impact training session can take place in 5-minute segments each month.

READ:  What is OPNsense?

One of the benefits is that employees can intersperse the training when they are idle in their day-to-day work and immediately receive positive feedback or are challenged by repetition. In addition, the content is tailored to them and can even be relevant to the day due to current events, such as seasonal or acute phishing events.

Personalization and Lifelong Learning

The Status Quo in Security Awareness Training

Instead of requiring every employee to attend a generic training session, they can be personalized. Training content can be offered in a way that is relevant to the employee’s role and their particular job within the organization. The training required is tailored to the employee’s daily tasks and level of security awareness experience. Instead of a one-size-fits-all approach that most find boring, training is facilitated that employees can apply immediately.

People also tend to conserve their energy. It doesn’t matter whether employees follow their safety training on the bus on the way home or on the couch in the evening. Giving employees responsibility for their own training schedule can motivate them and give them a sense of recognition and respect. Security awareness trainers decide what topics and content to give their participants, and of course, managers build their own “curricula” and consider the order in which training should take place.

READ:  Free Virus Protection for Apple Mac OS

In addition, the trainer retains control over the learning progress and can also have content repeated or deepened if necessary. In the end, any security awareness program must be in line with the company’s goals and values align the training with the end result. They can shape employee behavior to put information security first and empower them to make the right security decisions when it matters most. This is a sea change from the traditional approach, where the needs of the business are usually the sole determining factor in the design of security awareness training.

It helps immensely to remember that people are training other people and that all adults have some prior experience from school. Very few people like the classic frontal teaching with homework and subsequent tests – not in addition to the demands of daily work.

But if the feeling arises that here, with clever and varied content – at times of day when the workload does not affect concentration – motivation is provided and knowledge is imparted creatively, a new self-confidence arises that fits the values of a modern company better than classic blackboard copying.