Picture this: it's a Friday afternoon and an employee gets an Outlook email from IT. They realize that the security awareness training they've been putting off for the past three months is now due in 2 hours. The user scrambles to launch the training module and breathes a sigh of relief when realizing it's the same video and quiz from last year's training. The 1-hour video plays in the background while they finish their project and get 100% on the quiz.
This is a familiar scenario to many of us and poses a challenge for security teams everywhere who compete for users' attention, especially when research shows that 75% of organizations only have two hours or less per year to make an impact with security awareness training.
Users have different roles and knowledge gaps. They have diverse educational needs – not to mention the short attention span in this digital age. Security teams must fight these shortened attention spans and "zoom fatigue" by making training relevant to users' personal lives in and out of the workplace.
A "one-size-fits-all" strategy can leave users vulnerable and apathetic
Security awareness practitioners who struggle with limited resources and support are sometimes forced to roll out the same training content to all users. While trying to meet compliance requirements, such a program often fails to get traction from end users and leaves users vulnerable.
People are exposed to different attacks based on their role or data privilege, and attackers take advantage of this to exploit their vulnerabilities. Given users' limited training time, security teams that assign the same training modules to all employees inevitably leave some of these gaps unaddressed for certain users. Additionally, the "one-size-fits-all" training often demotivates and disengages people because the training is either too complex or too basic. Once users lose motivation to learn, their attention spans dwindle.
An adaptive learning approach gradually builds user knowledge and changes behavior
Unlike the "one-size-fits-all" approach, an adaptive learning approach provides users with a personalized learning experience. Firstly, a curriculum should be informed by a holistic set of security and privacy controls. Equally important is for security teams to understand the prevalent threats that the organization faces. Once the baseline of users' knowledge gaps is established, the security team can then build tailored education that allows users to build skills on top of what they've learned.
Proofpoint takes this approach and introduces the Adaptive Learning Framework. This framework provides users with training across different domains and difficulty levels, starting with a foundational curriculum that covers the basics. This ensures that every user has foundational knowledge across all key security and privacy domains. From there, security teams can assign a different combination of training with progressive levels that go from the basics to beginner, then intermediate and advanced concepts.
This framework allows you to build concise and specific training to an objective. We call this specific training "Micro-learning." The content is no longer than three minutes in length and can be sequenced and combined to provide learning paths tailored to individuals' roles and knowledge. With the Adaptive Learning Framework, you can provide training flexibility with regards to when and how much training is consumed. It engages users in their skill progression and encourages mastery of content.
Figure 1: The Adaptive Learning Framework at Proofpoint spans different domains and topics, from basic to advanced.
Organizations can utilize the Adaptive Learning Framework as the foundation to
- Reduce risk
- Shape user behavior
- Empower security culture
Reduce risk
With the Adaptive Learning Framework as a foundation, you can assess across domains to identify the most knowledgeable and vulnerable individuals. You can do a baseline assessment to measure improvement over time; tie together training and assessment content across a domain, level and outcome. In addition, this framework ensures that every user has foundational knowledge across key security domains and that users are equipped with the right skills to protect themselves and the organization.
Shape user behavior
The Adaptive Learning Framework helps users learn positive security habits in easily digestible pieces that make them easy to implement in their daily lives through microlearning. It lets organizations personalize users' learning experience based on their needs, leading to increased engagement, relevancy of content, and maximizes autonomy and motivation. Additionally, this framework provides a universal security language and creates a common understanding and vocabulary, making it easy to engage.
Empower security culture
The Adaptive Learning Framework builds an adaptive, structured approach to learning that users find purposeful, personalized, and progressive. It helps build a culture of mission and empowerment at all levels of an organization. It helps security teams prioritize the skills and concepts they want users to learn in the right order. And it also allows users to understand what the leadership team is expecting from them. The framework lets users play an active role in building the organization's culture, enabling top-down buy-in and top-down participation.
Let's imagine this scenario: A user belongs to an organization that uses the Adaptive Learning Framework. Every time they log into the platform to complete a training, they know they can look forward to learning something new. The content has helped the user perform well on phishing simulations, and the security team has even recognized their progress. This user scheduled time on their Outlook calendar to complete the training across several weeks in the quarter. The deadline to complete the training approaches, and they breathe a sigh of relief, knowing everything was completed ahead of time.
Where do we go from here?
At Proofpoint, our goal is to help create a strong last line of defense in all organizations by combining threat intelligence into our training and developing a framework through which security teams can provide varying levels of training that build on complexity over time. By delivering training that builds on concepts gradually, users will build their toolkit of cybersecurity best practices over time, reducing the risk of compromise.
To learn more about our Adaptive Learning Framework and its role in security awareness training, listen to this webinar recording here.