We know that security awareness training for all is an essential part of our organisational resilience to the growing risk from, and impact of, cyber-attacks. However, we see common and typical weaknesses in learning programmes:
1. Overestimating the extent to which the target audience can be trained;
2. Not understanding how people learn best and then not applying this best practice to help sustain resilient behaviours and productivity.
Overestimation of training objectives
Awareness training is often designed by security professionals with a high degree of experience and expertise in technology. Experts have a clear mental “blueprint” of a subject area, developed over time and often built upon practical practitioner experiences which embed this blueprint in the mind. Their target audience, in this case all people across the organisation, lack the same blueprint, and have not been subject to the same practical experiences which create it. Moreover, the target audience is driven by different priorities and perceptions (security is not their primary task) and do not have the same motivation, or even need, to develop the same mental blueprint.
Take phishing, for example: a popular awareness topic. Security experts have a clear mental model of the characteristics of a phishing email – including both obvious and non-obvious signs of risk. They understand email domains, email envelopes and headers, URLs etc. The non-expert target audience do not have the same model or the same interest – and the degree of effort required (by both trainer and trainee) to impart and then understand this model is likely beyond what a typical security awareness training course can reasonably hope to achieve. As the NCSC observe: no amount of training can help users spot every malicious email. The answer to the question “Is it really reasonable to train my staff to become expert at detecting phishing emails?” has to be a resounding “NO”.
How do we learn and sustain what we learn over time?
This common pitfall of overestimation is usually exacerbated by delivering training in a way that is not aligned to how we actually learn. As just one of many examples, the benefits of the Spacing Effect, where learning points are refreshed, repeated and reinforced over time, are well known. By adopting a pattern of ‘learn something today, learn it again tomorrow and learn it again next week’, people absorb knowledge in more depth and retain it for longer.
Yet awareness training is all too-often delivered as an annual 30-to-60-minute ‘tick-box’ course – a far cry from what we know works. The answer to the question “is it really reasonable to train my staff to become expert at detecting phishing emails in a 30-minute annual training course?” should be an even more resounding “NO”.
There must be a better way!
The current ‘all staff, once a year’ approach to awareness training, that’s so common, simply does not influence or sustain long-term behaviour change. At best it might remind us of some essentials; at worst, it’s treated as a necessary evil, a distraction, and something to be completed as rapidly as possible. It’s not effective and it’s also not efficient use of limited budgets.
So just how much security awareness training is enough?
We suggest: provide just enough to convey simple, practical advice that is straightforward and easy to understand.
But be realistic about what awareness training can really hope to achieve in terms of imparting expertise on a non-expert audience; and design a programme that delivers consistent training in a spaced fashion, with a focus on continuous reinforcement of key concepts and actions.
Many organisations already provide training like this in other areas. As Angela Sasse, Professor of Human Centred Technology at UCL, points out: “One of the key starting points for managing health and safety in organizations is that you need to make it easy for people to do the right thing. If we just applied those things in cyber security, things would look very different to how they look today.”
ThinkCyber and AXELOS RESILIA are working together to create a new way to deliver, and reinforce, practical and actionable security awareness for maximum effect.
To find out what we’re developing contact:
Tim Ward, Founder, Think Cyber Security, email@example.com
Nick Wilding, General Manager, Cyber Resilience, AXELOS RESILIA, firstname.lastname@example.org