Nine tactics for cyber security training that sticks -TEISS® : Cracking Cyber Security

boring cyber security training won't be effective

Culture / Nine tactics for cyber security training that sticks

Nine tactics for cyber security training that sticks

Cyber security training needs to be engaging if it is to be effective. Teiss Head of Training and Consulting, Jeremy Swinfen Green, offers some helpful tips.

Unless you train your workers in cyber safe behaviour, all the technology in the world won’t keep your organisation free from cyber risks.

But training should not just be a presentation that people are forced to attend, or a document that they are encouraged to read. It needs to engage the attention of the audience if you want it to deliver real understanding, knowledge that is retained for some time.

Nine tips for effective cyber security training

So how can you create training that does the job it is supposed to do? Here are nine tips you will find useful.

  1. Why, not just what

Don’t just tell people what to do. Tell people why they should do it. Give people a reason and they are much more likely to remember it.

  1. Not just once

Training needs to be repeated. Regularly. Tell people something once and they will forget it almost immediately. Repeat the message, during each training session and over a series of training sessions.

  1. Bite sized

You might think that cyber security is interesting. But most of your audience won’t. So divide you training up into bite sized chunks. 5 or 10 minutes is probably as long as you can realistically hope to hold their interest for.

Also of interest: Nine surprising things your workers need to know about data protection

  1. Multi-media

Don’t rely on one delivery channel. Deliver your message using as many media as possible: video, text, face-to-face, images…

  1. Tell a story

Information on its own is hard to remember. Contextualise it by wrapping the information in a story; people remember stories and retain the information in them in a way they won’t if you just send them information.

  1. Make it relevant

If your training seems relevant it will have a greater impact. Address people personally and use stories about circumstances they recognise.

  1. Surprise them

Think of ways to surprise you audience. A twist in the story. A new character. A joke. Or something left hanging until the next episode of training. If it is unexpected it will be engaging.

  1. Use multiple styles

There are several different ways of learning. Reading. Seeing. Doing.  Some people learn best reading. Others like to see and be shown. And some people like to do. So deliver your message in different ways so that people can learn in the way that suits them best.

  1. Reprise

Push people into revisiting what they have learned. Ask them questions about it, or get them to write about it. Reprising what they know if a way of f pushing information from short term memory into long term memory.

Training isn’t enough

If you want people to behave safely delivering them information will never be enough.

  • Keep people aware. You need to ensure that people are kept aware of how to behave safely. Use as many different media as possible: email newsletters, posters, team meetings, or banners on your intranet.
  • Don't let them become demotivated. And you need to make sure people are motivated to behave safely. Start by making sure they are not actively demotivated by having to struggle with security requirements that get in the way of doing the day job.
  • Keep people motivated.Then motivate them to behave safely – rewards can be simple: acknowledgement for behaving safely such as badges and leader-boards, public acknowledgement by managers, or small gifts such as mouse-mats and mugs. But do be careful with punishments, even if they are small – punishments demotivate, and demotivated workers are insecure workers!
  • Strengthen cyber security culture. Finally you will need to address certain aspects of culture such as the need to take personal responsibility, “social courage” (the ability to put cyber security above social norms such as helping someone you don’t know) and trust – the tendency of people to trust other people even when there is no evidence that they are worthy of trust.

This isn’t easy. But a programme of training, awareness, motivation and cultural change is essential for any organisation that wishes to remain cyber secure.


Image under licence from thinkstockphotos.co.uk copyright AndreyPopov

The following two tabs change content below.
Head of consulting at TEISS Jeremy is a highly experienced author, trainer and consultant who has worked in digital strategy, marketing and cyber security for 25 years. His special area of interest is how people engage with technology, sometimes known as "human factors"

Comments

Most Popular