If the last couple of years taught us anything, it was that things change, unexpected things happen. Any security practitioner will tell you that security threats are always evolving. It’s clear that efforts to make end users aware of threats, to protect themselves and their organisations, must keep up.
We need to keep people up to date, but also to seize upon teachable moments when available.
What is narrative-based learning?
“Narrative[-based] learning is more than learning through stories. It’s also a way of conceptualizing the learning process. When we are learning something new, we’re trying to make sense of it, to figure out its internal logic and how it’s related to what we already know” Clark, M. Carolyn and Rossiter, Marsha (2008). "Narrative Learning in the Adult Classroom," Adult Education Research Conference. https://newprairiepress.org/aerc/2008/papers/13
People love a good story. In fact, narrative-based learning is increasingly seen as being highly effective at increasing comprehension. And opportunities to draw on real life situations and stories are rife – offering the potential to highlight security threats in a relatable way. Also, using reported phishing emails, you can highlight specific threats to your organisation; through to highlighting security incidents reported in the media and elsewhere.
Simply reviewing the NCSC’s threat reports for the last few months provides stories on things like:
These stories represent great opportunities to engage people with topical content, relevant to both work and personal security. But, as a security awareness or security practitioner, how can you best make use of this?
How to deliver the narrative?
To deliver a great story you need to choose the correct channel. We have investigated a few of the more common learning platforms and here’s our findings:
e-Learning:it’s clear here that we need a content creation and delivery cycle of hours or days, rather than weeks or months. We want to be able to react to new threats and deliver topical content. And we want people to see it straight away. e-Learning probably isn’t going to be much help.
Intranet: a good set of security pages can play a crucial role in supporting awareness and secure behaviours. It can be home for policies and guidance. But, let’s be honest, people won’t visit these pages very often.
Email: how many emails do you get on average each day? Open rates for newsletter-type emails are around 10-20%. There’s just too much attention for competition in the inbox.
We’ve asserted before that Security Awareness needs to adapt. Gone are the days when an annual awareness course will cut it. Traditional channels struggle as mechanisms to deliver the sort of timely content that is needed. Which would seem to be a real missed opportunity unless we can….
…Find a new channel
The challenge here is to be able to adapt quickly, minimise impact on staff (giving them short snippets of information and a choice over when to engage), win the competition for attention, yet still pass on those key pieces of actionable advice.
And it is possible. We’ve seen engagement levels of greater than 90% with content that:
Is pushed directly to users, although still allows them to choose when to engage.
Can be updated in near real-time.
Interleaves interesting, intriguing, personally relevant and topical security content, with more corporate focused content.
Security Awareness need not always be a rigid compliance-based syllabus. A key part of the battle is to engage users and get them thinking about security and secure behaviours in any (and all) aspects of their lives.
Topical and relatable content offers the potential to do this. And a new channel, such as that provided by Redflags™, offers the ability to deliver that content. Right content, right time, right way.