Could your information security training be better? Here’s how you can improve it.
Recently, in a conversation with one of our clients, the conversation turned to information security. We agreed that cybersecurity training programs lack impact. Instead, more often than not, they fail.
The overwhelming sentiment among our team was that learning should “focus on things they don’t already know.” But more importantly, good infosec training should “Activate people to actually do something.” For example, how many times have you watched a DIY video on YouTube, showing a task which seemed really easy at the time, but when you tried to do it yourself you were left scratching your head? That’s because the video was a passive learning experience, and only the practice of the task is an active learning experience. And that’s why doing the task is the best way to learn it.
Following the conversation, we took a hard look at the InfoSec training supplied by our external vendor to see if we were getting the results we wanted. Spoiler alert: we weren’t. So, we set ourselves a simple goal: make a security maturity program that works – and lasts. In this piece, we'll explore what we've learned and discuss the main reasons why InfoSec training fails and how you can avoid similar failures.
Inauthentic language and the veneer of a caring approach
Does your cybersecurity training treat employees like adults or like children? Does it tell people things they already know in the tone of a know-it-all teacher? Condescending and patronizing experiences are fatal in learning.
We’ve all been there; you have made time to tackle the assigned training that you’ve been putting off all week. Things are going along fine until you have to ride out a painfully obvious explanation of why password security is important. Your instructor offers each key point like it’s a gift. And you’re left thinking, “Really? I have to sit through this?” What happens next? You go onto the next lecture and don't actually do anything about your password security.
But it doesn’t stop there.
Your instructor might even say, they “get it” when referring to how busy you are or congratulate you on picking a random but correct answer for a multiple-choice question. Conventional InfoSec training tends to try its best to be uplifting and supportive, but too often it comes across as fake and contrived.
There is little that can boil blood faster than condescension. First, it makes a learner feel disrespected. Then, instead of connecting to the information, learners feel a sense of frustration and anger that they have to do something that feels pointless: this is the perfect storm for training failure.
Using authentic language and tone are essential components of any successful InfoSec learning. When designed well, content engages readers on their level and draws them in. It should entertain, inform and persuade. When someone enjoys what they are reading, it invites more active learning and thinking, and – if adequately supported by a well-designed system – it can activate lasting behavior change.
A lack of meaningful questions
Are questions good? Mostly, yes. But sometimes not. Conventional Infosec training often includes meaningless questions that serve no purpose. At Cognician, great questions are a core component of our methodology. Here’s why:
Good questions are crucial to creating learning experiences that are effective. In their piece “the surprising power of questions”, authors Alison Wood Brooks and Leslie K John suggest that “Personal creativity and organizational innovation rely on a willingness to seek out novel information. Questions and thoughtful answers foster smoother interactions, they strengthen rapport and lead groups towards discovery.”
Asking good questions - ones that use a supportive, respectful tone and framing - really matter. The right question at the right time can unlock learning. Patrick Kayton, Cognician co-founder suggests that “Questions can direct the attention of learners, connecting dots between new ideas and old. They can open new spaces in the minds of learners, which enable the formation of new neural pathways.”
Conventional InfoSec training rubs learners the wrong way by asking counterproductive questions. To make training more interactive, many programs insert multiple-choice questions into programs, seemingly at random. Here are some examples:
- How much money does the average data breach cost?
- How many passwords get compromised every year?
For some users, questions like these create stress or a sense of unease because learners may feel inadequate when they don’t know the correct answer. These questions take a user back to middle school, where questions are designed for you to recall information verbatim. Here’s the problem: the mind does not learn well under conditions of stress.
However, weak questions can insult people’s intelligence or feel like an interrogation. For example, one vendor’s cybersecurity learning program we used included this ‘gem’: “Did you know that changing your password is a good idea?” Their program would have been improved had they asked a question like, “What do you think constitutes a good password?” This question will make participants think deeply and become more active in their learning – rather than disengaging from the course.
Questions should not be used to catch people out but rather to inspire people to apply critical, creative, and imaginative thinking to their work. Effective questions make people curious, directing their attention to ideas requiring their focus. The right question at the right time can fundamentally change the way a person thinks about cybersecurity, which has the power to shift attitudes, mindsets, and behavior.
Depersonalized training content
Good learning experiences create meaning for the learner in two ways. The first is an opportunity to learn about a topic and then put what's learned into action. The second is personal meaning. This is the most important. If a person can't relate to or connect personal meaning to a topic, they will forget about it in a matter of days, and they'll be unlikely to act upon it.
In a world with media jostling for our attention, one-dimensional information like a book, info packet, or slide deck seldom has an impact. Nothing is engaging about sitting through a long, boring video with someone lecturing at you. Talking for extended periods is not quite it: that's a lecture, not a conversation. Most lectures are impersonal, meaningless interactions that treat learners as objects instead of people with their own experiences and ideas to contribute. The best way to activate behavior change is through meaningful conversations.
InfoSec training should be intentional about creating personalized user-centered experiences instead of generic messages and content.
Ignoring psychology
Humans are the weakest link in the chain for cybersecurity. Yet, again and again, we see simple human errors that have cost companies millions of dollars. This leads us to the third area of cybersecurity training that we would like to improve: considering psychology.
For example, any information security professional will tell you that installing software updates is one of the most important ways to secure your devices. Installing updates should be a no-brainer, but unfortunately, it’s not. Many people seem to be averse to update prompts and patches – perhaps because they appear to come at the wrong time. When we have a looming task over our heads that we don’t want to do, our solution is to do it tomorrow. And in a world full of threats, tomorrow might be too late.
We all procrastinate, and we’re all guilty of hitting pause more than once. Procrastination is a habit. Breaking bad habits is possible with the right tools and encouragement. Unfortunately, most cybersecurity training does not fully consider how to approach fixing lousy security habits. Good InfoSec training should take human behavior into account and help people develop good security habits.
Learning experiences should incorporate techniques to build habits that make people feel inspired and guided and in which they have an opportunity to practice and repeat.
Final thoughts
Creating effective cybersecurity training is not easy. We understand training programs are always well-intentioned and that factors like budget and time can play a role in the success or failure of these initiatives.
To counter this, we've created a neuroscience-based approach to InfoSec training. It focuses on creating powerful experiences which, in turn, drives lasting and sustainable behavior change in almost no time at all.
Ready for training that works? Read more about our Security Maturity Quest now and how it can improve security maturity by up to 25% in 30 days or less.