Can you remember that question on that exam you took, a few years back, you know the one? No, me neither. I do remember coming out of an exam room, having revised like a crazy thing, only to find a day later I remembered literally NOTHING!
That is the thing about exams and questionnaires in general, they are 2D and human beings live in 3D. Here is The Defence Works why “Security Awareness Training should not be done under test conditions”.
Does Security Awareness Training Matter Anyway?
Over the last few years, Security Awareness Training has become recognised as being a fundamental way of preventing a cyber-attack. Why? Well, because 99% of cyber-attacks require human intervention. That figure does not stand alone. Analysts, vendors, companies, all agree, the finger that clicks the link or downloads the malware is where cyber-incidents begin.
A report from Analyst Juniper Research, which mentioned yours truly, The Defence Works, said that:
“As social engineering continues unabated, the use of human-centric security tactics needs to take hold in enterprise security.”
How you actually perform the Security Awareness Training, effectively, is another matter. The Security Awareness Training industry is fairly new in the scheme of things. Still, since its inception, there has been a number of variants on the theme of teaching employees about cybersecurity risk. They generally fit under the umbrella of either classroom-based or web-based teaching methods. The trick that all types have to achieve is to change the way people react in response to cybercriminal techniques used to manipulate behaviour.
If you can change behaviour such that an individual thinks before they act and has the underlying knowledge to proactively react, then you’re going to improve your overall risk level. But what methods are good enough to truly get through to people to make this happen?
What About Security Awareness Multiple Choice Questionnaires?
Security Awareness packages often use a type of multiple-choice questionnaire (MCQ). You can see them all over Google if you search for them. The MCQs are based on a list of questions that focus the user’s mind on security problems and related things, they might encounter, an example of an entry question could be:
Q: What is a hacker
A, choose one from:
- A teenager in a hoodie
- A state sponsored group that can hack IT systems
- An individual(s) that are security savvy and look for vulnerabilities in systems
- All of the above
Further questions would be around specific security-related questions of the ‘what if’ type. For example:
Q: You receive an email asking you to download and complete an expense form, do you:
A:
- Download the form immediately and complete it
- Check for tell-tale signs that this is a legitimate email from your company
The employee goes through these questions, either online or in a classroom environment, and gets a score at the end. They can do them as many times as they like in the hope the information will eventually sink in.
It can be dry, it can be boring, it can be easily forgotten once you walk away from the questionnaire, in the same way, you forget exam questions once you’re outside the exam room.
What’s the Alternative to Security Awareness Questionnaires?
Interactive training, where users actively participate in the sessions, is an alternative to questionnaires. This type of scenario-based teaching is more about transferring knowledge than remembering questions and answers. Interactive videos or other scenario-based awareness sessions provide on-the-fly feedback responses that can be used to reinforce messages and make learning more interesting and more memorable.
Scenario-based Learning or Bust
When a staff member, who may have limited IT capability, has to understand the often-complex nature of cybersecurity threats, they are effectively learning a new skill. New skills take practise and they need to be reinforced by making them meaningful. Feedback is also very important in reinforcing and refining the skill.
One thing to note in all of this is that learning about security is pretty much the same as learning about other things in life. That said, there are many ways to learn. However, research has found some important points when teaching that can be used across the board, no matter whether you use multiple choice questions or interactive sessions.
- Do it in chunks. Provide short sessions that are built upon and repeated for optimal learning.
- Use “interleaving”, i.e., switching between ideas as you learn. This creates a natural break between sessions and can help to reinforce ideas and connections between cybersecurity areas such as good password hygiene.
- Apply ‘concrete examples’ to learning, i.e. make connections in the mind of the trainee using real world scenarios to allow your employees to make real-world links, and again, reinforce learning.
– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.
Answer C: Say Bye, Bye, to the MCQs of Security Awareness
Cybersecurity incidents are damaging. They cost money, they cost time, they cost jobs, they cost staff self-esteem. It is extremely important to choose the right method to empower your employees with security awareness. Using multiple choice questions may have some merit as a back-up or confirmation system but it cannot replace scenario-based, interactive training. If you want your employees to actually remember what they have learned and how to then apply that knowledge, you have to engage and reinforce. Training is about building confidence and this can be done by connecting with your staff. Scenario-based and interactive security awareness training provides the environment needed to build knowledge, reinforce it, and strengthen it through feedback.
When creating a tailored security awareness training package that works for your organisation and your employees, chose one that sticks and creates scenarios that resonate.
Want access to the world’s most interactive security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.
Subscribe to the Proofpoint Blog