There is no doubt that face-to-face security awareness activities are a valuable part of the practitioner’s toolkit. But, given current events, we need to think differently. In this article we explore why face-to-face sessions can be so effective. And look at how we can aim to replicate some of those strengths using computer-based delivery of content.
Getting people in the same room forces the issue of staff engaging, or engaging to a higher degree, with security awareness. There are fewer distractions and people are compelled to set time aside to focus on the topic.
Practitioners can tell from the room and people’s interactions if they are engaged, paying attention and if the content is hitting home. They can clearly see who received the guidance messages as they are sat there in front of them – and may well have signed a register.
Delivering training face-to-face allows for a degree of personalisation – to the group, their security behaviours and level of understanding. Practitioners can question attendees, ascertain who is there – their roles, their knowledge, and adapt content accordingly. Questions and lack of understanding can be addressed there and then.
Many trainer-led sessions come to life through the anecdotes, examples and real-life stories practitioners can share in a face-to-face context.
With all the positives set out above, face-to-face sessions do have their weaknesses.
They can be time-consuming, expensive (often requiring travel) and, by their nature, tend to be infrequent. Realistically, in a large organisations, you’ll be lucky to get in front of each member of staff once a year, if that.
In addition, face-to-face delivery may not play to different people’s learning preferences, and can be inflexible from the perspective of the participants – who have to be there at the specified time and place. Giving people control over pace and timing of training can significantly improve engagement.
But there is a reason you’ve been doing face-to-face awareness! The traditional computer-based alternatives really can’t compete.
We know how people click next, next, next, yawning through much of the eLearning out there. We’ve all been in phone / web conferences with dogs barking, doorbells ringing and wondering if anyone at all is engaged with our webinar. And if we want to engage and push awareness out there, we all know that emails will be read by 10%, maybe 15%, of recipients – if we’re lucky!
So we’ve looked at the strengths of face-to-face in “taking it to the people” and we know the issues with traditional computer-based alternatives. What, then, can we do to make computer-based delivery more like face-to-face, and even overcome some of the drawbacks?
Try to integrate awareness into people’s everyday interaction with their computer. Find ways to ‘push’ content out rather than expecting users to come to the content. Overcome that inertial barrier of finding a mandatory eLearning reminder email, logging in, remembering the password… But keep it short and sweet – remember that over-burdening people with information is counterproductive.
One or two questions with each snippet of content can help gauge understanding. And, if possible, find a way to understand if/how people are engaging with security guidance – who’s seen what, for how long, did they click through?
Different staff will be subject to different threats and may have differing degrees of understanding. Tailor content to users’ roles and, if possible, to their actual security behaviours – delivering interventions at the point of risk.
Introduce real examples and real narratives into short snippets of content. Bring the threats to life – and perhaps offer social proof of preferred behaviours: “85% of your colleagues use three random words to set a password”; in other words, “your colleagues are doing this, so should you”.
Face-to-face sessions are typically infrequent. Little and often can be far more effective – for example, spaced learning (learning something today, tomorrow and again next week) has been shown to increase retention by up to 200%.
Your staff will want to do the right thing and will engage with short and interesting content. But not if it’s rammed down their throats! So, allow them some control over when they engage. And of course, keep track that they do.
You were probably planning face-to-face awareness activities as part of your programme this year. Given current circumstances forcing many staff to work from home and reduced or cancelled travel, face-to-face awareness is less of a realistic option.
However, as we’ve explored here, with the right approach, it is still possible to “take it to the people”. To drive engagement, measure understanding, personalise content and, even better than face-to-face, keep awareness ongoing. All of which can deliver the secure behaviour change you need.