Tracking the impact of a training program comes back to the fundamentals of learning: Does the program activate behavior change within your teams?
"Tell me, and I forget. Teach me, and I may remember. Involve me, and I learn."
– Xun Kuang
When it comes to learning and changing our behaviors, the impact of our experiences plays a significant role. We tend to remember experiences that have the strongest emotional effect on us. They make us ask thought-provoking questions – and spur us to take action.
People are more likely to act on an experience that resonates with them. Consider Susan, a 29-year-old suburban homeowner, who returned from work to discover she'd been the victim of a break-in. She'd never considered securing her home until she was robbed. The sheer impact of the loss left her wondering what other vulnerabilities she might have. After the incident, she proactively researched various insurance options and installed an alarm system.
Just as it is important to take security precautions in the physical world, it is necessary to do so online as well. According to Accenture's Cost of Cybercrime Study, 43% of cyberattacks are aimed at small businesses, but only 14% of businesses are prepared to defend themselves. At this rate, it's more a case of 'when' than 'if' your organization could fall victim to a security breach.
Giving employees effective tools to prepare for a breach is the best way to build your organization's defenses. A great way to crystallize new InfoSec concepts in learners' minds is to get them to share experiences that evoke emotional responses. However, negative experiences like Susan's are not the only way to encourage a behavior change. Positive learning experiences also create an impact by fostering the creation of sustainable habits. To create a lasting security mindset, you need a program designed with personal impact in mind.
Cybersecurity training needs to take a proactive approach to security by activating employees. A security mindset can build a reliable defense against security threats. When employees are activated, they have the tools to impact personal and organizational security at large.
So, how do you track the impact of a cybersecurity training program?
When employees aren't given the time to think, can they learn anything of value? People relish valuable moments of realization. Think of Susan from the earlier example. If she had taken an action to purchase insurance and secure her home, she may not have been affected by a break-in. Similarly, a proactive cybersecurity approach focuses on the detection and prevention of risk. This approach prompts employees to act on their InfoSec realizations, follow through on their actions, and be similarly prepared.
Follow-through is a profound predictor that activates behavior change. It involves users embarking on challenges and taking action. This process informs users how to respond to security issues and adopt new, safer behaviors.
The best learning happens while taking impactful actions that activate behavior change. An example of this is when a challenge prompts teams to change their passwords during the learning experience. The password security problem is immediately addressed when they perform the action. Users can then report back on whether they followed through on the action. It is as simple as pausing, thinking, and then acting.
This differs from traditional training, which focuses on content transfer rather than absorption. Strenuous memorization and fast-paced training leave no room for thinking, taking action, and changing behavior. Follow-through activates employees through the impactful actions they take. These new actions, when consistently performed, can become habits that benefit the organization as a whole.
2. Shared Insights
Imagine that instead of simply installing an alarm system after her break-in, Susan had reached out to her friends, family, and colleagues to find out what they'd have done in her situation. The insights she gathered from them could have opened her up to learning something new or considering things in a new way – and they might have learned something too.
User insights are the pot of gold at the end of the rainbow. Insights can lead to a better understanding of people's thoughts and feelings, and they're a great resource for pooling experience and wisdom. Insights can express everything from humorous musings to deep concerns on a matter. Sharing them with others provides a more humanized experience. Curiosity is then sparked when people feel that they can add value to the conversation. This is what opens the door to any complex topic – like Information Security, for example – becoming accessible to all.
Sharing insights around their InfoSec training can connect employees and create a sense of belonging at work. In a workspace, this could take the form of employees sharing security tips and experiences or ideas that anyone in the team can use. This allows them to accumulate wisdom from one another in a powerful way – learning from people they know and trust.
3. Employee Engagement
An important metric for tracking the impact of InfoSec training is user engagement. User engagement helps to track the learning approaches that activate employees.
When engagement rates are high, it's an indicator of two things:
- The learning material resonates with learners
- Learners feel motivated and incentivized to complete the training
Once people feel driven to research cybersecurity and take action, you have made an impact. To track impact, users need to continue to fuel learning momentum and show engagement. It's difficult to track the impact of a program with low engagement rates.
Engagement can only happen when people have the time and the opportunity to learn at a reasonable pace. Without that, they can't engage with the learning material effectively, which can leave users feeling overwhelmed with new and unfamiliar content.
Imagine if Susan had had to make a choice about securing her home an hour after finding out about the break-in. Without doing research and talking to others, it's likely that she'd have made a less informed decision. Instead, she carved out time to engage in research so she could improve her personal security. Cybersecurity awareness should work in the same way.
Many companies are open and willing to activate change within their teams. Yet they miss a large contributing factor to their success: learning impact. Success can be tracked by using metrics such as follow-through, insights shared, and employee engagement.
Sign up for a free trial to Cognician's Security Maturity Quest that tracks success by focusing on creating impact. We involve each employee in a journey to deepen their knowledge, stopping them in their tracks to relish in the moments that inspire behavior change.