Culture / Nine tactics for cyber security training that sticks
Nine tactics for cyber security training that sticks
31 July 2017 |
Cyber security training needs to be engaging if it is to be effective. Teiss Head of Training and Consulting, Jeremy Swinfen Green, offers some helpful tips.
Unless you train your workers in cyber safe behaviour, all the technology in the world won’t keep your organisation free from cyber risks.
But training should not just be a presentation that people are forced to attend, or a document that they are encouraged to read. It needs to engage the attention of the audience if you want it to deliver real understanding, knowledge that is retained for some time.
Nine tips for effective cyber security training
So how can you create training that does the job it is supposed to do? Here are nine tips you will find useful.
- Why, not just what
Don’t just tell people what to do. Tell people why they should do it. Give people a reason and they are much more likely to remember it.
- Not just once
Training needs to be repeated. Regularly. Tell people something once and they will forget it almost immediately. Repeat the message, during each training session and over a series of training sessions.
- Bite sized
You might think that cyber security is interesting. But most of your audience won’t. So divide you training up into bite sized chunks. 5 or 10 minutes is probably as long as you can realistically hope to hold their interest for.
Also of interest: Nine surprising things your workers need to know about data protection
Don’t rely on one delivery channel. Deliver your message using as many media as possible: video, text, face-to-face, images…
- Tell a story
Information on its own is hard to remember. Contextualise it by wrapping the information in a story; people remember stories and retain the information in them in a way they won’t if you just send them information.
- Make it relevant
If your training seems relevant it will have a greater impact. Address people personally and use stories about circumstances they recognise.
- Surprise them
Think of ways to surprise you audience. A twist in the story. A new character. A joke. Or something left hanging until the next episode of training. If it is unexpected it will be engaging.
- Use multiple styles
There are several different ways of learning. Reading. Seeing. Doing. Some people learn best reading. Others like to see and be shown. And some people like to do. So deliver your message in different ways so that people can learn in the way that suits them best.
Push people into revisiting what they have learned. Ask them questions about it, or get them to write about it. Reprising what they know if a way of f pushing information from short term memory into long term memory.
Training isn’t enough
If you want people to behave safely delivering them information will never be enough.
- Keep people aware. You need to ensure that people are kept aware of how to behave safely. Use as many different media as possible: email newsletters, posters, team meetings, or banners on your intranet.
- Don't let them become demotivated. And you need to make sure people are motivated to behave safely. Start by making sure they are not actively demotivated by having to struggle with security requirements that get in the way of doing the day job.
- Keep people motivated.Then motivate them to behave safely – rewards can be simple: acknowledgement for behaving safely such as badges and leader-boards, public acknowledgement by managers, or small gifts such as mouse-mats and mugs. But do be careful with punishments, even if they are small – punishments demotivate, and demotivated workers are insecure workers!
- Strengthen cyber security culture. Finally you will need to address certain aspects of culture such as the need to take personal responsibility, “social courage” (the ability to put cyber security above social norms such as helping someone you don’t know) and trust – the tendency of people to trust other people even when there is no evidence that they are worthy of trust.
This isn’t easy. But a programme of training, awareness, motivation and cultural change is essential for any organisation that wishes to remain cyber secure.
Image under licence from thinkstockphotos.co.uk copyright AndreyPopov
Latest posts by Jeremy Swinfen Green (see all)
- Book extract: Keeping data secure outside the office - 26th July 2018
- Book extract: Where does the human cyber security threat lie? - 17th July 2018
- Taking a social lens to the cryptocurrency community - 11th July 2018
- Cyber breaches: are millennials to blame? - 28th June 2018
- Ben Desjardins, VP product strategy at RSA, on: Quantifying cyber risks - 21st June 2018