In his book The Shallows: What the Internet Is Doing to Our Brains, author Nicholas Carr states:
"What the Net seems to be doing is chipping away my capacity for concentration and contemplation. Whether I’m online or not, my mind now expects to take in information the way the Net distributes it: in a swiftly moving stream of particles. Once I was a scuba diver in the sea of words. Now I zip along the surface like a guy on a Jet Ski.”
Our ability to “go deep” into a topic has been negatively conditioned by Facebook, Snapchat, YouTube, and other internet content providers. Think about scrolling through your news feed on Facebook. If you see a video that a friend has posted that is longer than five minutes, you probably won’t watch it. If it’s less than five minutes and the comments are in the thousands, you might watch it. As you move down the time chain from five minutes, to four, to three, the likelihood you will consume the content becomes greater.
This conditioning is not limited to Facebook; it permeates our personal and professional lives regardless of the content we consume, be it book, blog post, or training manual. This becomes an issue when an organization needs to train employees on a particular subject such as security awareness. If the training incorporates a lot of information and you need to go deep, it’s a challenge to keep employees’ attention.
Security awareness training has an additional issue. Unlike training on new software as a job requirement, being security aware is not necessary to do the work at hand. This makes the training seem less relevant and important.
The reality is that providing this training is one of the most important things you can do for an organization. After all the solutions you have put in place to keep clients’ data safe, humans are the last line of defense.
Traditional security awareness training is often done with a “check the box” mentality. The vast majority of content produced in-house, and a lot of the off-the-shelf training that focuses on compliance, is long, dull, and typically required only once a year. What’s crazy about this lack of regular messaging is that security threats change by the hour. By the time most training is released pieces of it are stale, as threat actors always find new ways into the organization through its human workers.
How many times have you launched a training session, hit the “minimize” button, and then listened for the auditory clues to go back to the training, answer a question, or hit the next button? It’s simply not effective. But we are not going to “uncondition” employees’ internet-inspired habits. We have to work with these habits.
Here are some keys to an effective security awareness program, whether you develop it or procure it from a third party:
1. Make the training segments engaging and no longer than four minutes.
2. Train regularly, about once a month. If it is done correctly, you’ll create a “culture of security awareness,” with employees having their antennas up when they go online.
3. Have the training incorporate stories about breaches that have actually happened. It tells employees that this can happen because it has already happened.
4. Create a competition based on who consumes content in a timely manner and answers questions correctly at the end of the training.
5. Keep the content fresh, focusing on current breaches and threats.
6. Focus each segment on a single attack vector so people can easily recall what they have learned.
7. Use video training, which is best, or tools such as infographics that walk the user through the threat.
Implementing these tactics can turn your security awareness program into something engaging that people remember and put into practice. It could also mean you don’t end up on the front page of The Wall Street Journal for the wrong reason.
ZACK SCHULER is the CEO of NINJIO LLC, a gamified security awareness training company in Westlake Village, Calif.