Experts: Melanie Knight, Learning and Design Lead, ThinkCyber.
Key Takeaways
The data
Cybersecurity training often fails to address the realities of how people truly learn and behave, leaving employees ill-equipped to handle evolving threats. Despite a wealth of research and empirical evidence supporting more effective learning methods, traditional approaches persist. By embracing proven strategies like microlearning, real-time tips, and contextual guidance, cybersecurity can innovate and reshape its training methods. How can these strategies be harnessed to ensure employees are prepared to tackle the next wave of digital threats?
With each passing year, technology continues to play a more prominent role in our daily lives, increasing the efficiency and accuracy of tasks that once required teams of people and days of dedicated attention (budgeting, trend forecasting, etc). This shift can be seen in a survey by Forbes Advisor, which found that 56% of businesses use AI (Artificial Intelligence) to improve and perfect business operations [1].
In an attempt to maintain safety while keeping pace with technology integration into working practices, the cyber security industry has leaned on compliance-based training and annual training courses. Unsurprisingly, these methods have continued to yield underwhelming results as employees are asked to remember large amounts of information quickly. Much like cramming for a test at school, you might be able to get away with a passing grade, but you’ll be extremely hard-pressed to recall the information when required in real-life scenarios. Hence, only 23% of employees who participated in compliance or ethics training within the past 12 months rated their training as "excellent," indicating that the majority found it uninspiring, unmemorable, or irrelevant to their work [2].
Cybersecurity is not the first industry to face this issue. In gaming, popular titles like SimCity 2000 (1993) advised players to consult a planning guide detailing every potential in-game disaster before playing [3]. Similarly, large textbooks such as encyclopaedias were once considered essential building blocks in education. However, these dense texts have given way to learning approaches such as contextual learning and microlearning, where individuals are given small amounts of information at the point they need. Prime examples include the global mobile gaming sensation Candy Crush, where in-game nudges have replaced lengthy manuals, and apps like Duolingo and 7Taps, which use microlearning techniques such as spaced learning and chunking. These methods reset and flatten the forgetting curve, helping individuals retain information more effectively.
For long-time learning designer and educator Melanie Knight, applying the same learning approaches to cyber security training is a necessary evolution. "The threats people face in the workplace used to be relatively static—remaining consistent across generations. However, with the advent of computers and the internet, these threats now evolve rapidly," says Knight. "Annual compliance courses attempt to address this by cramming in more information, but this approach is flawed. By the time the next session rolls around, the material is often outdated, and employees struggle to retain dense content anyway." Moreover, when the content remains unchanged year after year, it risks sending a message to employees that the organization lacks genuine commitment to their development or to staying ahead of evolving threats [4]. Knight points to other industries that have adapted more effectively: "Game designers realised long ago that manuals were ineffective, and education has embraced methods like microlearning. Cybersecurity, however, is lagging behind. It’s not just about shortening training sessions but making them contextual and directly relevant to the tasks employees face, enabling them to stay equipped for the ever-changing landscape."
Compliance-based learning continues to evolve, offering employees training on a growing array of essential topics such as diversity and inclusion, health and safety, fire safety, cybersecurity, and codes of conduct. Companies recognise the importance of equipping employees with the foundational knowledge to maintain high-performance standards and workplace safety. However, according to Melanie Knight, Learning and Design Lead at cyber security company ThinkCyber, the way this training is delivered often undermines its effectiveness.
"Most organisations frontload compliance training during onboarding, overwhelming new employees with a deluge of information that they’re expected to retain," Knight explains. This practice places unrealistic demands on short-term memory (or working memory), which research shows can handle no more than around four to seven elements simultaneously [5]. Unsurprisingly, employees retain only about 20% of what they are taught, leaving critical gaps in understanding and application [6]. Knight stresses that while companies aim to cover all bases upfront, the sheer volume of information is counterproductive—little of it transitions to long-term memory, and the material is often outdated before the next annual session. She advocates for a more phased and practical approach, one that aligns with how people actually learn and retain information over time.
The nature of work has undergone a seismic shift. In the past, many jobs were routine and repetitive, such as factory assembly line work, requiring minimal problem-solving or decision-making. Training at that time was designed to build a workforce that could follow instructions efficiently. However, the rise of AI and automated technology has displaced these roles, leaving behind jobs that demand critical thinking and problem-solving at every level, not just in leadership positions.
This shift is particularly evident in fields like cybersecurity, where live digital threats and real-time challenges require employees to make rapid, autonomous decisions. Despite this, Knight highlights that most training approaches remain outdated, focusing on rote compliance rather than fostering critical thinking and real-time learning skills. The consequences are clear: 72% of managers consider critical thinking essential for organisational success, but only half believe their employees demonstrate this ability [7]. Furthermore, a report by Reboot reveals that 95% of respondents view critical thinking as vital in today’s world, yet 85% believe it is lacking in the public [8]. Knight emphasises that to bridge this gap, organisations must overhaul their training approaches, integrating real-time learning and decision-making practice to better reflect the demands of the modern workplace.
Contextual learning has become a key method in enhancing how individuals acquire and apply knowledge. In gaming, for example, Candy Crush uses tooltips to guide new players through the game, providing helpful hints at the right moments to ensure they aren't overwhelmed and can enjoy the experience. This form of contextual relevance helps players navigate difficult levels by offering tips when they need them the most. As Knight points out, "Game developers observed that players' excitement often leads them to start games without reading the instruction manual, causing difficulties with missions due to a lack of knowledge. Instead of relying on lengthy manuals, developers introduced tutorials and tips that offer guidance in context, helping players learn as they play.”
This approach can be equally effective in cybersecurity. Instead of overwhelming individuals with all the information upfront, cybersecurity tips can be provided in real-time, helping users make informed decisions when they are at risk—such as receiving alerts or tips while attempting to respond to a phishing email. Studies show that contextual learning can enhance comprehension and retention by up to 40%, particularly when learning complex tools [9]. As Knight notes, much like game designers maximise playtime by balancing challenge to avoid frustration, effective cybersecurity training can maximise engagement by providing real-time, context-specific learning. This method, similar to the "nudges" used in games, encourages better retention and application of knowledge when it is most needed [10].
When it comes to learning, frequent small efforts are more effective than occasional large ones. Information broken down into manageable chunks rather than a single long stream is more straightforward to absorb and more likely to stick. This approach is evident in successful platforms like 7taps, which structures its content into "story cards," ensuring that training sessions remain under 10 minutes and the information is easily digestible. Similarly, Duolingo has cracked the code on learning by delivering language lessons in small, daily doses that feel manageable and engaging, embodying the segmentation principle first introduced by Richard Mayer [11]. By making learning bite-sized and easily accessible, these platforms show us how breaking content into smaller, more frequent pieces keeps it relevant and memorable, rather than overwhelming the learner with a flood of information.
In Knight’s view, “Spacing out learning over time makes it more impactful. When information is revisited regularly, it becomes far easier to retain, rather than overwhelming learners with one long session.” This aligns with the insights from Ebbinghaus’s forgetting curve, which suggests that without reinforcement, we quickly forget what we learn. Enter spaced repetition, the simple yet powerful strategy of revisiting information at intervals, allowing us to reset the forgetting curve and solidify knowledge.
The result? A far more effective approach to training. Research shows that microlearning can slash training time by up to 60% [12], while boosting retention by up to 80% [13]. Companies embracing this method see 50% more engagement and an impressive 37% increase in productivity, with 92% more likelihood to innovate [14]. Forget about those annual training sessions; it’s time for continuous, bite-sized learning that keeps employees engaged and ensures knowledge is retained long after the lesson is over.
SOURCES