I heard a term used the other day that made me stop and give pause...it was something I had never heard before, and I wasn’t sure exactly what it meant. I went about my day but the term just stuck in my head until my curiosity got the better of me. When one of my kids come to me with a word or phrase that they don’t understand, I always tell them to “Google it” (after all, we are in the 21st century). What is the term to which I refer? Experiential Learning.
Wikipedia defines Experiential Learning as: “the process of making meaning from direct experience, i.e., 'learning from experience.'" After reading the definition, I pondered on how best I, and the people around me, learn a new skill or concept. No question, the best way to learn is by doing. Putting yourself in the situation and walking through the process or procedures to accomplish the task at hand.
I then tied these ideas to cyber security training -- and thought of all the training I had taken in the past that still led me to make the same mistakes (e.g., clicking phishing emails). It occurred to me that all of that ineffective training talked “at me.” It didn't allow me to experience a “real life” situation.
So my advice to anyone looking to provide security awareness training to their employees is to be sure to choose a program that puts your users in “real” situations so that they can acquire the skills to recognize or take appropriate actions regarding cyber security. They will be more motivated to learn and be engaged, and your organization will be safer because of that.