One organisation recorded just a 17% completion rate following their initial email asking people to do mandatory security awareness training…
…it’s little wonder some businesses end up with a cottage industry of line managers, HR and infosec staff chasing people to get an elusive completion stat over 90%. Sure, some have it sorted with a mature corporate governance culture flowing-down accountability for training completion. Others resort to holding back bonuses or reviews until mandatory training is done.
For the time being we will set aside that ideally we want more than completion (we want engagement, retention and changes to behaviours). Because for compliance purposes, completion remains a significant measure. So how do you increase security awareness completion rates?
Whilst it can drive completion, our own research has told us that awareness is less effective if people engage under duress. Or because it is “mandatory”. Completion may go up, but retention will go down. The ideal is that people choose to engage.
Make the content short and sweet and relevant – either a juicy story about a real cyber incident, or something highly relevant to the recipient’s job. Or, even better, their personal life.
Instead, drip feeding little and often offers a gentle “nudge” to think about a security awareness topic, very briefly, and then get back to work. For example, 1.5 minutes per month is better than 15 minutes a year, but with the same completion outcome. And this “spacing” is proven to help with retention.
Make it convenient
Remove the inertia inherent in having to login to an online learning platform and bring the guidance straight to the user. Make it easily accessible, on their terms, but persistently available (and intriguing as above) so they will dip into it.
Keep content relevant
Either through delivering awareness only when a risky behaviour takes place, or through tailoring delivery based on user, location and other characteristics, content can be much more targeted and relevant – increasing engagement.
Automatically measure engagement
Finally, reduce the management overhead by getting data on completion and ideally wow the auditor with richer measures of engagement such as dwell times on content.
So, if you are still filling in spreadsheets and getting fed up of sending urgent and threatening chaser emails to people to do their mandatory training, then there may just be a better way….