What Can Your Users Learn in Less Than 10 Seconds?
As infosec teams work diligently to shore up their systems and endpoint security, more and more organizations are adding security awareness and training to their prevention repertoires. This is an excellent thought process. Unfortunately, too many organizations are confusing awareness with education. And doing so will prevent them from achieving the results they crave.
Why a Teachable Moment Is Not Training
If you are familiar with our simulated attack assessments, you know that we believe in capitalizing on teachable moments. In fact, that’s the name we’ve given to the embedded “just-in-time” messages that are paired with our mock attacks. Our Teachable Moments are presented to users at the time that they interact with a simulation — like a ThreatSim mock phishing message — and these brief, informational pop-ups explain the exercise to the end user and offer a few actionable tips that can help prevent future mistakes.
Several other security awareness providers also use “in-the-moment” interactions with end users. Unlike our Teachable Moments, however, their messages are lengthy and, in some cases, full-blown training videos or presentations are delivered following an errant click.
Why do we shy away from this approach? Mainly because you cannot count on reaching a receptive audience at the point of the foul. And you definitely can’t count on users taking in everything you want to say. One simulated phishing provider estimates that clickers interact with in-the-moment messages for only 7 to 9 seconds. Which begs the question: How much can anyone possibly learn in under 10 seconds?
With Training, Timing Is Everything
So, what’s the difference between a Teachable Moment and actual training? In our opinion, it comes down to timing and depth of content.
Take simulated phishing attacks as an example. The moment that an end user interacts with a mock phish could happen at any point in the day. Sure, it could happen while they’re sitting at their desk, not too busy, with a nice slot of time open and ready for a training assignment to swoop in. But isn’t it more likely to happen while in the middle of a project, during a meeting, right at the end of the day, just before a supervisor walks in, etc., etc.? A “Surprise, it’s time for training!” message is likely to be met with a “No thanks!” dodge.
Even if an end user would happen to click at just the right time as far as calendars go, that pop-up message is going to come as a bit of a shock. And that could elicit any range of emotions. Once a user realizes a mistake has been made, fear, anger, and/or anxiety could easily take over.
Here’s our bottom line: If end users feel “ambushed” by training, they will not be in the right mindset to learn. And they will likely close out as quickly as possible. This is a primary reason why we don’t believe you can effectively deliver security education directly following simulated attacks. Although a Wombat education assignment can be triggered by an interaction with a mock phishing message, end users are not presented with a training module at a moment when they are caught unawares.
Ask Yourself: Are You Providing Awareness or Training? (Hint: There’s a BIG Difference)
Teachable Moments provide a great opportunity for raising awareness of an issue and for priming an end user for follow-up cyber security education. But training they are not.
As you evaluate the effectiveness of your end-user risk management efforts, we ask you to look not only at your results but your approach. It is critical to consider the role of your security awareness and training program. If you are allowing awareness exercises to take on the role of education, your end-user defenses will never be as strong as they could be.