In part two of this series of blogs reporting on our research project to “Reimagine Security Awareness” we feedback on what users told us would make them engage with security awareness training. Whereas part 1 covered the “do nots”, part 2 covers the “do dos”.

We can all recall moments of training and education that have been positive and effective learning experiences. Via a series of workshops, we asked IT users from a range of organisations to draw on these memories and reflect on what had made them so effective. We then presented a set of characteristics that define any learning experience (for example, the delivery mechanism, the frequency, the duration) and encouraged our workshop attendees to direct their feedback towards each of those characteristics in turn. They told us the following:

1. Stimulate the decision to learn
“It is good to stimulate your (own) thinking and start the learning process”
“If you choose to go on your own training there is more motivation to get something out of it rather than just a tick box for the organisation”

Learning is considerably more effective if the individual makes the choice to learn. Stimulate the user’s decision to engage with the training by, for example, delivering well timed thought-provoking messages, or illustrating why training completion is important to protect against current or recent threats. And in particular…

2. Make it personal
“They talk about what’s going to happen to the company but if they relate it to you personally that would make me learn about it”
“You could see that happening to you if you aren’t careful”

Guidance that’s relevant to the user’s personal life, and protection of their personal assets, will likely gain more interest than guidance that purely addresses the needs of corporate governance. This doesn’t mean that corporate requirements need to be entirely disregarded – it may just be a case of framing: explain how guidance is applicable in both contexts, and consider how helping people achieve a higher level of cyber hygiene in their personal lives will have knock-on benefits to corporate IT use.

3. Moderate the length and be clear on key messages
“When (training is) too long it feels like being held captive”
“(Identify) small changes you can do rather than having to think about how overwhelming the problem is”
“People only take away three key points from training…”

People won’t engage properly if training is over-long or lacks a clear set of takeaway messages. Keep it short and sweet, and…

4. Expand on training over time and keep it fresh
“If you do three minutes of training but do it over multiple sessions it kind of multiplies. Whereas if you do it all at once little details are going to get missed”
“It should be an ongoing thing because there are new threats every week”
“Learning little by little when it’s relevant is much more likely to stick”
“If training is up to date, then it can give up to date reminders about things that have just happened”

Try to allow people to build their expertise over time. Accept that people won’t take everything in in one session, and that repeated exposure to key messages is likely to be required in order to make them stick. Taking a more ongoing approach to the update and delivery of training helps keep it new and interesting.

5. Make the learning feel necessary, applicable, and manageable
“When it’s relevant and you can actually see where it lies in your personal life, or indeed in the workplace, you get a lot more out of it. It’s then you can actually see the relevance”
“…make sure that those three key points are actually usable”

Users need to see that training really relates to them, and their role within an organisation. They also need to believe that anything they’re being asked to do, or to apply in their day-to-day, is reasonable/manageable. Be realistic, and make sure it’s actionable.

6. Offer “risk based” guidance
[Targeting a] “more specific personal need, is something I would prefer because I don’t really know what I know at this point about cyber security”

Remember users don’t always know what they don’t know, and so targeted guidance was seen as highly useful. This could either be targeted at a set of people according to their observed long-term behaviour (e.g. phishing test repeat offenders) or, even better, targeted at people according to their activities at a specific point in time (e.g. when they plug in a removable drive, click a link, enter credentials into a browser etc).

Summarising our findings (the “Do nots” set out in Part 1 and the “Do dos” set out here), our challenge is to deliver users the right content, the right way, at the right time.
And how do we do that? The next blog in this series will explore what practitioners need and want from security awareness.

About this work
This blog resulted from a project supported by Innovate UK and conducted alongside Pam Briggs, Professor and Chair in Applied Psychology at Northumbria University. The project ran workshops with staff across commercial, professional services and public sector organisations, including Deloitte, Camden Council and at our strategic partner AXELOS RESILIA.