Mention the phrase “mandatory training” to almost any employee and they will likely roll their eyes in despair. But security awareness must be part of the cyber defence strategy in any organisation. Truly engaging your employees is a critical element of this strategy.

So how can we change this eye-rolling response, engage employees and change insecure behaviours? Working with Pam Briggs, Professor and Chair in Applied Psychology at Northumbria University, and supported by Innovate UK, ThinkCyber have set out to determine exactly that.

The obvious starting point of our joint project to “Reimagine Security Awareness” was to ask users / participants / subjects / victims [delete as applicable]. We ran workshops with staff across commercial, professional services and public sector organisations (including at our strategic partner AXELOS RESILIA) and in part 1 of this series of blogs we report on six things they told us they don’t want…

1. DON’T…rely on lengthy annual mandatory training sessions. Long training courses aren’t popular whether face to face or online e-learning.
“It feels like being held captive in the room”
“You just read stuff and press next, next, next, next…”
“I open all the training at once and cycle through each clicking next”
“Because it’s so long winded people find a way of cheating, they work out the answers without reading so the whole point is defeated”.

2. DON’T…use negative incentives, individual rankings or think that a certificate is a worthy reward.
“There was a leader board in the office and it was horrible, it was so big brother-ish and it oversimplifies what is essentially a complex thing and it makes you resent the whole process”
“I have been to training where they provide you with a certificate and i don’t usually pick it up.“

3. DON’T…frame it as ‘mandatory security awareness training’. This instantly sets expectations and puts up barriers.
“People associate mandatory training with the organisation/department covering its own back”

4. DON’T…use overly passive delivery models – reams of text, but avoid childish or patronising content.
“I know they’re trying to make it fun, but we’re grown-ups”

5. DON’T…let the content get tired.
“If the organisation can’t be bothered to update our annual training then it can hardly be that important to them”

6. And finally…the jury is out on mobile. This is likely a very cultural or personal thing. We saw a bias away from mobile delivery and a firm dislike of any expectation that people will do training in their own time.
“If the organisation value it, they should make time for it”

In short, the users involved in our workshops told us that approaches to security awareness training that fall down on the areas listed above aren’t working to engage employees.

The next blog in this series explores what our users do want to see, before we will move on to discussing some designs that deliver on the “dos” and avoid the “do nots”.