Introduction
One organisation recorded just a 17% completion rate following their initial email asking people to do mandatory security awareness training…
…it’s little wonder some businesses end up with a cottage industry of line managers, HR and infosec staff chasing people to get an elusive completion stat over 90%. Sure, some have it sorted with a mature corporate governance culture flowing down accountability for training completion. Others resort to holding back bonuses or reviews until mandatory training is done.
Even if only for compliance purposes, completion remains a significant measure, but we want more. We want engagement, retention and changes to behaviours, but how?
1. Avoid coercion
Whilst it can drive completion, our own research has told us that awareness is less effective if people engage under duress. Or because it is “mandatory”. This instantly sets expectations and puts up barriers. Completion may go up, but retention will go down. The ideal scenario is that people choose to engage.
2. So…encourage engagement
Make the content short, sweet and relevant – either a juicy story about a real cyber incident or something highly relevant to the recipient’s job. Or, even better, their personal life. Narrative-based learning is highly effective at increasing comprehension and boosting engagement.
3. Little and often
You might be stunned to hear that 50% of information from a training session will be forgotten within an hour, 70% within 24 hours!
Instead, drip feeding little and often offers a gentle “nudge” to think about a security awareness topic, very briefly, and then get back to work. For example, 1.5 minutes per month is better than 15 minutes a year, but with the same completion outcome. And this “spacing” is proven to help with retention.
4. Make it convenient
Remove the inertia inherent in having to log in to an online learning platform and bring the guidance straight to the user. Make it easily accessible, on their terms, but persistently available (and intriguing as above) so they will dip into it.
5. Keep content relevant
Either through delivering awareness only when a risky behaviour takes place or through tailoring delivery based on user, location and other characteristics, content can be much more targeted and relevant – increasing engagement.
Therefore, knowing your audience is the first step; knowing how they learn, what they engage with and what they don’t like, is essential to deliver relevant and engaging content for them.
6. Automatically measure engagement
Finally, reduce the management overhead by getting data on completion and ideally wow the auditor with richer measures of engagement such as dwell times on content or even actual, on-device, behavioural trends.
Conclusion
Engaging users might be difficult, driving them towards secure behaviour, even more so, we understand that. But with the simple steps above, you can significantly boost engagement and meet compliance requirements.
So, if you are still filling in spreadsheets and getting fed up of sending urgent and threatening chaser emails to people to do their mandatory training, then there may just be a better way….
Do you want to know more about secure behaviour change? Learn more about Redflags™ or get in touch.