Most security awareness professionals and CISOs agree that user interest and engagement are helpful for security awareness training effectiveness. Engaged users support behavior change that can reduce the risk of data loss and breaches. But ‘training’ is not normally considered entertaining or fun. Offering balanced and engaging training content in a variety of formats—videos, animations, modules—yields effective learning outcomes across organizations. Here are some best practices for keeping your users engaged and entertained during security awareness training.
Keep it Relevant
All users do not face the same challenges. Based on their role and responsibilities, users have access to various levels of sensitive data, administrative functions, and mission-critical applications. In its simplest form, user segmentation could be just two tiers: privileged and non-privileged users. The principle is that users should receive training relative to their role.
Examples of content focused on privileged users.
For instance, all roles may need an introduction t privacy principles, but unless they have access to EU (European Union) data or resources, they may not need specific GDPR (General Data Protection Regulation) courses. Further segmentation could be derived, such as by department or geography.
Have Fun with Variety of Content
Single dimensional programs are old school and may not give you the best results. While security awareness training cannot (and sometimes should not) be exciting all of the time, a balanced repertoire of content is the goal, where serious and important subjects are presented within an assortment of materials that can meet the needs of organizations with distinct cultures or geographically specific learning styles.
An example of basic security skills would be a training module that reviews phishing, web browsing, physical security, social threats, and privacy. This could be supported by a handful of lighthearted awareness videos, that use humor to highlight the concepts of the training module or a game that helps teach the correct behaviors.
Examples of short, humorous and reinforcing videos.
And periodic reinforcement of those principles via videos, animated sketches, games and articles will help training become ‘stickier’ and users will be more apt to incorporate their learning in their day-to-day routines. Contrast this approach with the dreaded email from HR (Human Resources) or compliance that you have 30 days to complete your annual security training or else!
Ensure Responsive to Industry Challenges and Environments
All companies do not face the same challenges. The operating challenges and environments from healthcare to retail are quite different. And so are the regulatory requirements. This may seem basic at first, and it is; most organizations understand that as a healthcare provider or retailer you have many similar and some unique requirements based on your industry.
However, each organization faces its own set of threats that change over time and shift based on economic, political and environmental challenges. The pandemic has lead to malicious activities against healthcare providers and their customers and seasonally retailers and consumers face an onslaught of scammers and attackers during holiday shopping. At some point, everyone knows about the new attacks, but timing is critical.
A security awareness program enriched by threat intelligence will keep users and organizations safer. By understanding what threats are emerging, organizations can use hard-hitting awareness materials to alert their users to be on guard against the new attacks and exploits. Threat intelligence supplies the agility organizations need to keep ahead of their ever-evolving industry threats. Your users will notice too; having the inside scoop and early knowledge will only improve their perceptions of the value of security awareness to themselves and their organizations.
Examples of threat alerts that inform users to be on the lookout for new deceptions.
Balance is Key
The bar for training has been raised; users live in a 4K world of dazzling media and entertainment. But all the fun materials in the world will not replace the need for some level of traditional learning and assessment of users for their security awareness.
But with a balanced approach, using variety, assortment and relevant content, organizations can improve user engagement and interest. With improved interest, behavior change is more likely, and organizations can transform their users from security liabilities to security assets.
Test drive Proofpoint security training and awareness materials here. You will find effective training modules, security awareness materials and videos that help users understand their critical role in keeping your organization safe.
Subscribe to the Proofpoint Blog