Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization.
In case there’s even a smidgen of doubt, this is the sort of awareness training where people step away from the day job while an instructor leads them through various security topics.
The main benefit is that people can get immediate feedback. Plus they can chat with the trainer, which means they can pick an expert’s brains. So they could discover more useful information than in, say, a video seminar.
However, some argue that a classroom approach conflicts with something called Adult Learning Theory, which suggests that classroom learning suits children far more than it does adults.
What’s more, classroom-based training can be pricey, and it takes people away from their main roles for a large chunk of the day. Both these hurdles mean the sessions are often long and infrequent.
Neither of which bodes well for information retention.
Visual aids aim to influence cybersecurity behavior through (gasp) visuals. We’re talking anything from posters to handouts to videos, all of which can cover a range of topics, from password security to phishing scams.
Visual aids are easy to process. Unlike written messages, visuals are simple to understand. That means they communicate complex information quickly, without overwhelming people.
What’s more, they’re pretty cheap to get in place, especially compared to classroom-based training. You’re potentially just looking at covering the costs of a graphic designer (if you need one), printer ink, and some paper. And, in return, people are reminded to stick with good cybersecurity practices.
However, they do have some downsides. Visual aids can be easily ignored if they’re not engaging or interactive. Plus, over time, we stop “seeing” things that we’re used to. And unlike classroom-based training, there is no feedback loop between the sender and receiver.
Last but not least, we know that follow-up testing can boost recall rates. So, visual aids may result in a lower rate of the important advice sticking in people’s minds.
The popular way to test people’s response to cyber threats—attacking them! Okay, it’s just a simulation. You can send a phishing email, SMS, and even a “misplaced” USB stick.
Evidence tells us that simulated attacks are a super-powerful way of cementing messages in people’s minds, thus changing long-term behavior.
Sounds like a no-brainer, right? Wrong.
Some argue that simulated attacks are unproductive—even immoral. You’re choosing to put people through the wringer, which can raise a few eyebrows. Plus, it’s an emotionally charged experience, and that can impact people’s mental wellbeing.
We’re behavioral science nuts. So, we know that phishing sims can do more harm than good—if they’re done wrong.But that’s not a good reason to dispense with them. It is; however, a reason to make sure you get them right.
Online training can take many forms, from text to audio, video and quizzes. It’s also dynamic—when a new threat emerges, you can add a new module.
Some providers offer compliance-based training that’s no more than a tick-box exercise. Training should influence long-term security behaviors and reduce the risk of a breach.
It’s also important to look for training offered by security specialists, not training specialists. That’s not to say all security specialists are created equal, and they’ll need to demonstrate how their offering can go about influencing security behaviors, and how it can nurture a culture of security.