Reinforcing Key Topics Is Critical in Security Awareness Training
Are you reinforcing key principles of cybersecurity with your end users? And are you doing so on both an awareness and training front? If you answered “no” to either of these questions — or if you’re uncertain about the differences between raising awareness and delivering training — read on to find out how you could be undercutting your chances for success.
Reinforcement: the Big Sister of Repetition
Repetition certainly gets a bad rap — and rightfully so in some cases. (My kids asking me the same question 300 times in a five-minute span comes to mind.) But not all repetition is bad; in fact, it’s critical to regularly revisit key cybersecurity topics in order to encourage knowledge retention. Our Continuous Training Methodology is based on our founders’ pioneering research that tested the application of learning science to cybersecurity training. Reinforcement is one of the Learning Science Principles that is essential to long-term knowledge retention and behavior change, and it is a foundational component of our methodology.
So, how does reinforcement differ from repetition? It’s really about timing and intent. Reinforcement occurs close enough to an original event to trigger a memory response in participants. The difference is clear when you compare once-a-year training to ongoing education programs. Often, yearly training presentations repeat the same content every 365 days; because of the long time span between training events, these presentations essentially reintroduce concepts to users. In comparison, continuous training programs reinforce key principles at regular intervals, helping to build “muscle memory” and allowing users to convert suggested cybersecurity best practices into practiced habits. This is a far more effective approach if knowledge retention is a goal (as it should be if you wish to maximize your training efforts and expenditures).
We often encounter organizations that are training just once a year (with disappointing results). But we also see organizations at the opposite end of the spectrum; namely, companies that want to do ongoing training, but that don’t want to revisit any training module more than once (even in a multi-year span). Neither of these approaches prioritizes reinforcement, which is a disadvantage.
We feel it’s important for all program administrators to consider how they learn something new and eliminate an "IT vs. end users" mindset. For those of us in the cybersecurity space, issues like phishing prevention, ransomware avoidance, and password hygiene seem like old hat. But none of us learned about these topics in an hour or two, or by thinking about them just once a year. Most users’ day-to-day job functions don’t center on data and network safeguards, so they will not have the opportunity to learn new skills unless we legitimately teach them. Keeping these topics top-of-mind for employees as much as possible is the best way to help them develop better habits.
So…now you’re ready to bombard your users with all kinds of awareness and training materials, right? Not so fast.
We lead. Others follow.
Learn more about why Gartner recognized us as a Leader for the fourth year in a row.
Why More Isn’t Always Better When It Comes to Security Awareness Training Content
There is an old saying that “more is more.” This phrase is very applicable when you’re talking about chocolate and hours dedicated to Netflix binges. Not so much when you are talking about selecting content for a consistent, cohesive security awareness and training program.
Just as there is a science to learning, there’s a science to effective reinforcement. Consistency is key — though that doesn’t mean repeating things word for word, over and over again. Here are a few additional Learning Science Principles we apply in creating our cybersecurity awareness training content:
- Offer conceptual and procedural knowledge (i.e., mix “big picture” training with problem-solving techniques).
- Serve small bites of training rather than combining 15 topics into a two-hour session.
- Train in context to show employees how the education applies to them.
- Use storytelling techniques to keep users more engaged.
- Vary your message slightly to allow employees to experience the same concept in different contexts and forge new connections.
- Keep users involved by using education that allows for hands-on practice and decision-making, rather than resorting to presentations and videos that don’t support interactivity.
It’s important to be thoughtful about content delivery, and the surest way to do that is to choose a partner that is thoughtful about content creation. We know that some of our competitors offer hundreds of awareness and training options to choose from, in a variety of styles and flavors. Respectfully, we don’t feel that is an effective approach, and here are a few reasons why:
- When there is a vastly different “look and feel” to the pieces of content used, employees lose a sense of continuity. Materials need to strike the right balance between variety and consistency.
- Only so much time can be dedicated to cybersecurity education in any organization. While we advocate for regular, ongoing training, our goal is to allow organizations to create seamless programs that are minimally disruptive to the normal flow of business. You don’t want to overload your users and make training feel like a nuisance or a chore.
- Administrators don’t have time to wade through an exceedingly vast portfolio of materials to find the content that is appropriate for their organization. With Wombat, you can be confident that all pieces of our portfolio have been designed to work together, which help organizations develop consistent, effective programs that generate early and ongoing improvements.
- To be frank, certain training modules should be repeated over time. Key topics — like phishing and ransomware prevention, compliance requirements, and data protection techniques — should be revisited every year and touched on regularly year-round.
Don’t put yourself — or your users — in a position of being either overwhelmed or underwhelmed by your security awareness training program. To ensure success, take a continuous approach that includes reinforcement activities. And be selective about “more is more” promises from your potential partners (unless you’re looking for more customer support, more multinational support, and more opportunities to engage with your peers).