Shifting to Security Awareness 2.0
Security Awareness Training is Fun
There’s a good chance that you don’t believe the above sentence. Since when is security training fun? Everyone knows that it’s boring and only done to meet compliance.
Tedious and pointless, Security Awareness 1.0 is the way most training is done today. Security Awareness 2.0 is a revolutionary approach that makes training not only more effective, but more enjoyable. Shifting to Security Awareness 2.0 requires a change in attitude and adopting a few basic principles.
The Power of Disney
For three years Jason Hoenich, one of the founders of Habitu8, built and ran the custom security awareness program at Disney. After watching films such as Frozen and Inside Out, he noticed that Disney had an approach that taught lessons in an extremely effective way.
In general, films ran about 90 minutes and had had three to five characters-story arcs, each of which delivered a significant learning moment. The “5-3-90” formula (five characters, three themes, 90 minutes) allowed each character to learn a lesson on their own unique journey. This formula assumes that the average audience can process one lesson every 30 minutes.
Security awareness vendors want to sell as many licenses as possible. To show value to their clients, they have a ton of content. In just a one-hour training session, they cram up to ten topics, each of which has at least three learning points. Staff members have to absorb 30 pieces of information in 60 minutes. This “30-60” rule means that employees are supposed to learn one piece of information every two minutes.
By wildly overestimating employees’ ability to process information, security awareness trainers exhaust them. This creates a new disorder, security fatigue, which is when workers are overwhelmed with decisions that they are required to make in a given period of time.
Security awareness 1.0 throws an entire book at someone in a 60-minute training session. This doesn't provide value to the company or employee. Security Awareness 2.0 is more effective because it allows employees to learn at a realistic pace.
The Power of Language
Best-selling author Robert Cialdini describes a meeting at a healthcare company. He was giving a speech, and his PowerPoint presentation had to be pre-approved. The corporate communications department insisted that he say “information points” and “business goals” instead of “bullet points” and “business targets.” They explained that as a healthcare company, they focused on healing and positivity.
Like any rational person, Robert thought this was...odd, but he went along with their suggestions. Eventually, he started to see the value of using positive words instead of negative ones.
Security awareness 1.0 uses a lot of negative language. Employees who “fail” a phishing simulation are described as “offenders.” Workers are considered to be “insider threats.” They are told that “humans are the weakest link.” This reinforces the idea that users are just too dumb to understand something. Over the last 10 years, this idea has become common in the information technology space.
Telling people they are too stupid to learn is a terrible way to teach anybody anything. It also gives security awareness trainers an easy excuse for not being effective.“It’s not my fault; it’s just those dumb people.”
Security awareness 1.0 assumes people don’t learn because they are stupid. Security Awareness 2.0 assumes that employees can learn and will learn if information is presented in an appropriate and entertaining way.
The Power of Spoiled Expectations
Typical Security Awareness 1.0 training involves
Interactive online modules no one wants to do
PowerPoint presentations no one wants to hear
Emails no one wants to read
Hell, I almost fell asleep just writing that.
Security Awareness 2.0 violates our expectations. When we surprise someone, we grab their attention, which allows us to provide key information that the brain is willing to process. It puts us into a state of processing information for a few seconds.
Surprise is an essential element of humor, so it’s a very effective way of delivering information. Humor is one way of focusing on the user experience.
All security awareness training must consider the user experience. For example, if you send an email, what will it look like to the person receiving it? The end-user will see 25 other emails in their inbox competing for their attention.
Instead of sending an email about the dangers of clicking on unknown links, stage a live hacking demonstration. Employees have been warned about clicking on links for years, but no one has actually shown them what happens when they do. Because a live hacking demonstration is unusual, it is especially engaging.
The Power of Stories
As demonstrated by Disney, the best way to teach is to tell a story. People learn when information is presented with an arc, characters, conflict, and resolution.
Security Awareness 1.0 teaches lessons. Security Awareness 2.0 tells stories. For examples of lessons delivered by good storytelling, check out our free Trial Platform.