Reinforcement: a Key to Knowledge Retention, Risk Reduction

Share with your network!

How would you describe your security awareness and training program? Game changer? Necessary evil? A little of both? Regardless, if you’re educating your employees about cyber security best practices, you’d logically want to make the most of your efforts. If reinforcement isn’t part of your plan, it should be. These types of activities are critical to achieving long-term success.


Out of Sight, Out of Mind

There’s a reason why the Wombat training methodology promotes continuity, interactivity, and regularity — it’s because this approach has been proven to be far more effective than one-off or once-a-year training. Consider these findings from EMA’s Security Awareness Training: It’s Not Just for Compliance:

Though there is variance in the number of repetitions required to learn something and in the ways people learn, a simple piece of information must be heard at least three times by the average person to be able to recall it in short term memory and up to 20 times to commit it to long term memory.

Organizations continue to provide training using very traditional models such as presentation and lectures or online videos and slide shows. These are generally only 20% effective in aiding retention of material.

Providing training at quarterly or longer intervals is too infrequent to reinforce the training knowledge and does not meet any sort of recommended educational standards to maintain retention.

Our methodology is based on research-driven Learning Science Principles. One of those principles is “Reinforce Lessons.” Why? Because repeating elements over time is a key to learning. Cyber security is no different than any other topic; without frequent feedback and opportunities to practice, even well-learned abilities go away.

The Rewards of Positive Reinforcement

Beyond just keeping cyber security top of mind for your employees — for more than just a few minutes a year, that is — reinforcement activities can help you build a culture of awareness and advocacy. And keeping things positive is a lot more effective than shaming or punishing employees who make mistakes. No technical safeguard or educational activity will take your organization’s risk to zero, but the right mindset and approach will allow your security awareness and training efforts to generate better results over time.

A great way to get your employees on board is to incentivize good behaviors. Here are some insights from our white paper, To Ensure Security Education Success: Think Like a Marketer:

People love free stuff, even something as simple as a pen. Your rewards for different levels of training should be direct reminders of your program, such as mouse pads or pens — items employees use every day. One of our customers was really clever; giving employees a program-branded sticky note to put over their webcam so that if it was maliciously activated it couldn’t capture anything.

Companies will also want to consider that lauding employees when they don't fall for a scam reinforces positive behavior by stating: "Hey everyone, Cindy thwarted a phishing attack today!" Executives can then give Cindy a ribbon or a coupon for a cup of coffee in the building cafeteria, a move which goes a long way in validating your program.

It’s a relatively simple idea, but a powerful one. And a little bit of thoughtful, feel-good reinforcement can pay some serious dividends over the long haul.


With a Wombat-powered security awareness and training program, reinforcement activities can be seamlessly integrated with assessments, education, and measurement. Our portfolio of Security Awareness Materials includes posters, articles, incentives, and other tools that you can use to reinforce key training messages and behaviors in and around the workplace. Our PhishAlarm™ one-click email reporting tool allows your employees to put their knowledge to work and report suspected phishing messages with the click of a button.. Contact us to learn more.