What is your first memory? One of mine was starting school and sitting at a table with several other kids. I was in the moment, experiencing the situation. That moment, the scenario, became lodged in my brain.
Cybersecurity threats are now so complicated that it is hard to find a technology to deal with the multi-faceted nature of those threats. So, we turn to security awareness training – putting the human being central to understanding how cybercriminals work. A report by analyst firm Juniper Research, into cybercrime trends to 2024, concluded:
“gains that can be made by increasing human awareness of cybersecurity can make more efficient use of cybersecurity spending”
Security awareness training is now a firm part of an organisation’s arsenal against cybercrime. It is effective in preventing cyber-attacks. But how do we make sure that training is cost-effective too?
How to Optimise Your Security Awareness Training
There are lots of security awareness training firms out there, offering a variety of packages. Differentiating their product can be daunting. You will, no doubt, be presented with a myriad of choice, including:
- Classroom-based: This is a traditional method of teaching people about something; we’ve all done it. Typically, in the security context, a workshop would be run by the security training vendor on a specific cybersecurity topic. Groups of employees are then taught about that specific cybersecurity problem and how to deal with it. This type of training method has limited success in the area of security awareness.
- Visual aids: These are useful as part of an overall Security Awareness Training package. Visual aids are usually things such as posters and other methods of condensing an idea, like a handout. The trouble with non-interactive methods like this is that they can become invisible, ignored, and often misunderstood.
- Phishing simulations: These are programmed simulations that replicate typical phishing campaigns. You work with the vendor to set up a phishing campaign that targets your employees and tests how they respond to the “phishing” emails. It is a useful part of an overall security awareness program but is not a means to an end in itself.
- Online (video-based): Video sessions can be used to teach employees about the various cybersecurity threats in their working lives. They are an online version of the classroom-based sessions, but more flexible. They also are able to allow the watcher to control the session more easily; watchers can come out of a session, take their time, even engage more easily in a video session. Often, the video will use multiple-choice questions as the employee goes through the training.
These offerings are all well and good, but what about that first memory? How was it made to stick so well, how did that moment in time, stay in our memory?
Scenario-Based Security Awareness Training
Whilst video-based training has some excellent elements built into the fabric of the method, it also has some issues. Most video training packages use multiple-choice questions to feedback the level of success of the training. Multiple-choice questions do not cut the mustard when it comes to sticky learning. Adult Learning Theory, points out that
“learning should be centred on solving problems instead of memorizing content”.
Afterall, this shouldn’t be an IQ test.
In other words, placing someone in a context where they can solve problems in a realistic manner, gets better results than rote learning.
Scenario-based security awareness training or “In-the Moment” training, has benefits above and beyond the more traditional training packages. The use of scenario-based training creates situations and settings that more deeply embed the training into the person’s mind.
A study “Gamification Techniques for Raising Cyber Security Awareness” by Scholefield and Shepherd, placed the user’s into various scenarios using games to test the effectiveness of learning patterns. The study found an overall positive result, but it also identified that the game should be placed within a “context of an overarching storyline”, aka, training users should be contextual and scenario-based for optimal effectiveness.
How The Defence Works Uses Scenario-Based Security Awareness Training?
Living in the moment is a key part of learning and remembering.
The Defence Works uses this concept to create immersive, interactive, gamified training packages. But we also go one step further, we create a storyline.
We place an individual into a context that gives them an idea of what it would be like to live through a cybersecurity incident; by doing so, we can more effectively embed knowledge. All of this is done within a safe environment. It gives employees an opportunity to live and learn, without actually feeling the deep impact of a real cybersecurity incident.
It is about as close as we can get to a Star Trek HoloDeck but, of course, much more cost-effective.
Want to see our interactive “in the moment” training in action? Sign up for a free security awareness training demo, today.