Learning Science and Security Awareness Training: Connection Is Key

April 19, 2019
Gretel Egan

Question: How do you learn? It may seem like a broad query with many answers … and different people do learn in different ways and at different paces. But there is (fairly) universal agreement on one aspect: It’s nearly impossible to learn new skills without regular practice and reinforcement.

As you consider how you’ve learned the skills you now possess, you’re likely to realize that your knowledge developed over time. Now, think about how difficult it would have been to acquire and apply new skills if you’d received just one or two hours of instruction only once or twice a year.

So, why are so many organizations assuming their users will “get” security awareness training a similarly small amount of time? And why do so many organizations ignore time-tested education principles when teaching employees cybersecurity skills?

Time Is Money … in More Ways Than One

Some organizations struggle with the idea of pulling workers away from typical job functions in order to train them on cybersecurity best practices. Others seek the most expedient—and lowest-cost—path to ground. Thought processes like these relegate security awareness training to “nice to have” status—when, in actuality, it needs to be elevated to “need to have” status.

Cyber criminals are on the prowl 24x7, seeking new and ingenious ways to reach users at the desktop and fool them into making mistakes that provide inroads to inboxes, data and systems. Infrequent training cannot prepare the average employee to spot and avoid attacks that come in many forms, via many channels, throughout the year. Your security awareness training program should offer more than broad, high-level education across your organization. You also want visibility and agility, which allow you to put your threat and business intelligence to work for you. Seek solutions that allow you to identify employees that are being regularly targeted by attackers, the threats these users are facing, and the vulnerabilities they exhibit—and then deliver focused training that improves user behaviors and helps them become a stronger line of defense.

Budget outlay and employee training minutes aren’t the only factors in the “time is money” equation. Organizations should also consider the benefits that result from a more empowered, knowledgeable user base—benefits that include:

  • Fewer cybersecurity incidents overall;
  • Less downtime for employees who fall for attacks
  • Fewer remediation hours spent by infosec teams to correct mistakes
  • Better recognition and reporting of incoming threats that evade technical defenses

But to get there, you need to do more than train regularly, you need to train effectively.

Embrace Learning Science Principles to Drive Better Results

The idea of learning science is certainly not new, and original research on the topic identified a number of best practices for driving knowledge retention and successfully teaching students new skills. We concentrate on 10 of those principles, chosen because of their applicability to adult learning environments, and subsequently proven effective in security awareness training research conducted at Carnegie Mellon University:

  1. Offer conceptual and procedural knowledge
  2. Serve small bites
  3. Reinforce lessons
  4. Train in context
  5. Give immediate feedback
  6. Let them set the pace
  7. Tell a story
  8. Vary the message
  9. Involve your students
  10. Make them think

If you’re interested to learn more about the science behind these 10 precepts and how they apply to cybersecurity education, visit our Learning Science Principles page and then experience our security awareness training tools for yourself.