Cyber Security Training is not a Punishment
The summer holidays might just be starting for some, but for cyber security awareness professionals autumn is front of mind. The leaves fall, pumpkin spice lattes get their day in the sun and ghosts come out to play. And what else? Oh yes, October ushers in cyber security awareness month.
Cyber security awareness-raising has been transformed over the decade or so that I've been working in the field. There are so many innovative and engaging activities and initiatives out there, so there's really no excuse to still give people the impression that cyber security is boring.
Worse than forcing people to sit through compliance-driven training: making them sit through it again because they clicked a link in a phishing simulation. The message you send when you do that? That they 'failed' and need to be punished with boring training.
Is that really how we want people to feel when they're learning about cyber security?
Over the last couple of years, cyber security culture has risen up the agenda. If you're thinking of what kind of awareness-raising you want to deliver, first ask yourself what your organisation culture is like. With that in mind, what kind of cyber security culture are you looking to build? What attitudes and behaviours would make up that culture? How can you foster those attitudes and behaviours whilst also addressing your key human-based risks?
We help clients of ours have a lot of success running more innovative awareness-raising initiatives, especially during October. Examples include:
🐞 Hacking demonstrations
💻 Password cracking
🔓 Lock picking stations
🧐 OSINT exercises
🍿 Bitesize content
The levels of engagement are always so satisfying. When you have fun with cyber security, whilst delivering a meaningful and actionable message, it's a game changer. It leaves people talking about cyber security, with their colleagues and their families. This creates a positive ripple effect that reaches beyond October and into the community.
There is a common perception that people learn in different ways (visual, auditory, kinaesthetic, and reading/writing) and that mixing up methods is considered good practice. However, the cognitive neuroscientist Stanislas Dehaene (in his book How We Learn) shows this is not the case. Instead, he recommends that you focus on four pillars:
Pillar 1: Attention
"A passive organism cannot learn"
Pillar 2: Active engagement
"Enhance the environment"
Pillar 3: Error feedback
"Zero error, zero learning"
Pillar 4: Consolidation
"It is better to spread out the training periods rather than cram them into a single run"
Thanks to Sue Hope for the steer on this.
Which brings me to an important point: don't forget to gather feedback and track metrics for the awareness-raising you deliver in October. Depending on your capacity and the maturity of your programme, this could be as simple as tracking participant numbers and sharing a quick feedback form for your different initiatives. If you're looking for something more in-depth, you could run a survey before and after October to test whether your key messages have landed. Take it a step further and repeat the survey in January to see whether any of those messages have been retained.
If you want to learn more about what other cyber security awareness professionals are doing for October and beyond, don't miss the SANS Security Awareness Summit 2022 next week. I'm not saying it's great because I'm on the advisory board, I'm on the advisory board because it's great! This year, it's a hybrid event which is free to attend online.
To learn more about the awareness-raising content an activities that we at Cygenta deliver for clients, drop us a line. Finally, if you want to stay in the loop with all things connected to the human side of cyber security, don't forget to subscribe to our mailing list!