Generally speaking, traditional security awareness training is delivered in one of four ways:
1. Classroom-based training
2. Visual aids (including video)
3. Through simulated attacks
4. Computer-based training
Resource challenges and environmental contexts often force those in security to decide which method or methods to include in awareness campaigns – and in which quantities each should be employed.
In this post, we consider the four different types of security awareness training in turn, the pros and cons of each, and an alternative, increasingly favoured approach.
1. Classroom-based training
What is it?
Classroom-based training is exactly what it sounds like.
Attendees are taken away from their usual roles and, for at least a few hours, take part in a workshop which sees an instructor lead them through the ins-and-outs of at least one security topic.
Classroom-based training replicates the principle teaching method used in primary and secondary education throughout places like the UK.
The pros of classroom-based training
The major advantage of classroom-based training is the immediate feedback loop both class instructor and attendees receive. Instructors can quite clearly gauge attendee engagement and adjust training accordingly. When things become stale instructors can introduce a quiz, for example. When attendees become distracted, instructors can initiate short breaks.
Similarly, attendees get to probe instructors throughout. Participants can ask for clarification or request further information and bespoke advice as necessary – and receive responses instantly.
Promoting a culture of security
Classroom-based training also helps promote a culture of security.
If company heads are willing to pull entire teams away from their normal roles for an entire day or more to talk solely about information security, it’s likely people are going to see security as a true organisational priority.
The cons of classroom-based training
Is it actually useful?
Despite its advantages, the overriding drawback of the classroom-based approach is its questionable effectiveness.
Classroom-based training conflicts almost entirely with Andragogy.
Also known as Adult Learning Theory, Andragogy was first developed by the American educator Malcolm Knowles, and posits that adults actually learn in an entirely different manner to children.
According to Adult Learning Theory, adults are largely independent and thus learn best independently. Similarly, according to the theory, motivation to learn amongst adults is in fact internal. While children might be reluctant to learn new things, Adult Learning Theory credits adults with an internal desire to learn new and helpful information. Going even further, the theory states adults seek to apply their learnings immediately, as opposed to storing up knowledge that might be applied at a later date.
Some argue that classroom-based learning almost entirely ignores Adult Learning Theory. Instead, it is considered by some to shoehorn a learning model developed for children into a potentially inappropriate setting. During classroom-based training, adults are assumed to have no interest in learning new things, are spoon-fed information and are asked to store up their learnings to use at a usually unspecified later date. While Adult Learning Theory is a widely accepted theory, classroom-based training goes against more or less all of its conclusions.
Classroom-based training also comes with a relatively substantial price tag. The costs of staff away-days isn’t one that can be easily ignored, and neither is the cost of hiring specialist instructors.
Finally, the infrequency of classroom-based training further jeopardises its potential efficacy. The disruption inherent in classroom-based training, combined with the costs of classroom-based training, mean such training usually only takes place annually at best – raising questions over how much of the training attendees will be able to recall 11 months down the line, and how much of the guidance will remain relevant a year on.
2. Visual aids
What are they?
Visual aids, again, are just what they sound like – visual pointers offering bite-sized security advice. They typically take the form of posters on topics such as secure passwords, handouts covering phishing scams or videos explaining things like the dangers of public wi-fi.
The pros of visual aids
Visual aids are easy to process
Humans never evolved to read. As Maryanne Wolf points out in her book Proust and the Squid, there is no direct genetic link passing reading skills from one generation to another, and as individuals we must rewire our brains to become literate beings. For many humans, reading is hard.
Conversely, processing both visual aids and audio is easy. In fact, it’s something humans can do inherently. Compared to written messages, visuals aids are usually simple to process, helping you communicate complex information quickly without overwhelming training participants.
They’re scalable and inexpensive
Compared to classroom-based training, visual aids are relatively inexpensive. Posters and handouts rarely cost more than printing and paper costs. And while videos might be expensive to produce at the outset, they’re extremely scalable. The marginal cost of serving an existing video to another person is often next to nothing, and some companies specialise in doing just that.
They promote a culture of security
Visual aids are also easily referred to and ever-present. Like classroom-based training, their mere presence can contribute towards a culture of security.
The cons of visual aids
Visual aids are easily ignored
Unlike other forms of security awareness training, visual aids usually aren’t interactive. As you’d expect, they can therefore be easily ignored. After implementation, they can quickly fade into the background.
A lack of testing
As a society, we know testing aids recall (hence most security awareness training campaigns incorporating some form of testing) and yet, with visual aids, often no testing takes place.
No feedback loop
Visual aids are also entirely one way: there’s no feedback loop between those sending the message and those receiving the message. If those who do take the time to read visual aids have any questions or queries, both are likely to go unanswered.
3. Simulated attacks
Simulated attacks are dummy attacks aimed at users, designed to test people’s response to threats “in the field”. Today, simulated attacks usually take the form of simulated phishing emails, simulated text messages or “misplaced” USB sticks temptingly labelled things like “bonus payments” or “Corfu 2018 – private”. The security specialists behind simulated attacks attempt to trick people in the same way malicious actors might.
Participants’ responses to the attacks are monitored.
The pros of simulated attacks
Numerous psychological learnings suggest simulated attacks can be seriously powerful methods of transmitting a message, cementing messages in users’ minds and changing long-term behaviour. One such learning is the concept of schema.
Schema explain why we behave differently in different situations – because we frequently do.
At a cocktail party, for example, we might smile politely and nod while attempting to find common ground with friends of friends.
At a football match, meanwhile, we might scream encouragement at nearby players from the top of our lungs.
Screaming at a cocktail party would be patently ridiculous – so what is it that guides our behaviour in the two situations?
According to psychologists, it’s schema.
Studies show that, 24 hours a day, 7 days a week, our behaviour is influenced by our external environment. The presence of 22 players kicking a ball 50 yards away is something that lets us know it’s OK to scream; gentle jazz and canopies call for decorum.
What’s all this got to do with simulated attacks?
At least one of the purposes of security awareness training is to encourage people to behave in a secure manner in their day to day job roles. Unlike almost all other forms of security awareness training, simulated attacks do exactly that.
Because they take place as part of day to day job roles, simulated attacks have the potential to change our pre-existing “workday” schema to ensure security remains top of mind while working. And there’s more.
The research of nobel-prize-winning psychologist Daniel Kahneman suggests, for the most part, our behaviours are governed by unconscious thoughts. These powerful unconscious thoughts aren’t easy to override… but they can be shaped by emotional experiences.
Simulated attacks are about as emotionally engaging as security awareness training can be. By that token, they can arguably do more to shape our behaviour than any other method of security awareness training that currently exists.
The cons of simulated attacks
Are simulated attacks moral?
Despite the potential of simulated attacks, they remain a method of security awareness training that divides opinion.
Some feel simulated attacks are both unproductive and immoral – two understandable arguments.
It’s certainly difficult to see how simulated attacks aid short-term productivity. And, as discussed above, simulated attacks can be emotional experiences.
Some see this as a positive (and, under the right circumstances, we agree). Others, however, think otherwise.
Finally, simulated attacks usually require the technological capabilities of external agents. They don’t necessarily cost a great deal, but they do typically require assistance from a third party, and therefore a security awareness training budget to implement.
4. Online security awareness training
Online security awareness training is usually a staple in a chief information security officer’s (CISO’s) arsenal, although what it actually is can vary wildly from provider to provider.
Some who provide online security awareness training are training specialists. Others are security specialists. From the former, compliance-based training that is little more than tick box is commonplace. Users read about best practice security and answer some questions on the subject shortly afterwards. In doing so, employers become ‘compliant’.
More advanced online security awareness training uses multimedia to change behaviour and reduce the risk of suffering a breach. At CybSafe, we do so by feeding insights from psychology and behavioural science into our unified cyber awareness platform, improving user awareness, changing user behaviour and developing a culture of security – the ABC of cyber security.
The pros of online security awareness training
Designed to help adults learn
As training goes, online security awareness training is almost the mirror image of its classroom-based equivalent.
Where classroom-based training assumes adults are unmotivated to learn, online training allows them to learn at their own pace.
Where classroom-based training sees adults as dependent on instructors, online training allows people to take control of their own learning.
Bite-sized content blocks allow people to put learnings into practice immediately. Smart online training even builds breaks in to allow users to do things like update insecure existing passwords.
Online training is Adult Learning Theory in practice.
What’s more, online training has begun to incorporate the feedback loops so valuable classroom-based training into its online model. CybSafe, for example, has a feedback loop built in.
Users can – and do – submit feedback and questions, and they get answers from experts who have time to draft considered responses.
Compared to classroom-based training, online training is arguably less disruptive to the working day. Users can learn at their desks during quiet periods.
Course content can usually be referred to at any point, and advanced solutions routinely prompt users to do so.
It costs less per attendee than classroom-based training, too.
While online training is digital by definition, online training can take the form of digital text, digital video, digital audio and digital quizzes.
Online training therefore helps you harness the power of things like video and visual aids while also offering vital time for self-reflection – where users’ thoughts can move beyond receiving messages into the potential applications of the building blocks of security.
Online training is dynamic
As opposed to printed visual aids and one-off workshops, online training is dynamic.
When new threats emerge or new regulations come into force, new modules can be bolted on to existing security courses. GDPR, for example, brought in stringent regulations on processing and controlling data, so we responded by introducing a GDPR module to our cyber awareness platform.
Another benefit of online training is its advanced analytical capabilities. Information security officers and administrators can monitor who has done what and when and, by looking at test results, they can identify areas of the business that are more at-risk than others.
In doing so, those in security can offer support to those who need it… before it’s too late.
The cons of online security awareness training
Online training can vary wildly
The only real downside to online training is the fact that the training landscape evolved as compliance-based training. A great many compliance-based packages remain prevalent today, and it isn’t always easy to tell the difference between training built to decrease the incidence of breaches and training designed to appease regulators.
That said, there are some tell-tale signs.
Advanced training, first of all, will usually explain not just that it changes user behaviour, but how it changes user behaviour. CybSafe, for example, offer a platform grounded in psychology and behavioural science which specifically addresses the human aspect of cyber security. The CybSafe platform changes users behaviour through behavioural science learnings – often referred to today as “nudge” theory, and used by advanced governments all around the world.
Advanced training will also be offered by security specialists, as opposed to training specialists. If your security awareness training provider also offers food hygiene standards training, alarm bells should start ringing.
Finally, advanced training should not just map out how it increases awareness and changes user behaviour, but how it helps nurture a culture of security, too.
The most effective approach
In the past, CISOs might have opted for just one of the above methods of training. In reality, many of today’s CISOs use a mixture of all of the above to address the human aspect of cyber security – an approach we advocate at CybSafe, and an approach advocated by expert academics such as Dr. Emma Williams of the University of Bristol.
Indeed, the CybSafe platform was developed with blended learning in mind. It has the capability to offer online, story-based, multimedia training; cutting-edge simulated attacks; our partners have access to a suite of posters; and interactive quizzes are available to those who wish to fold classroom-based training into their security awareness campaigns.
The way we see it, technology has changed our lives – so it’s time we started thinking about changing our approach to make the most of they way people interact with technology.
To us, that doesn’t mean rehashing the same, tried-and-failed awareness campaigns in order to achieve compliance.
At CybSafe, we strongly believe reducing the risk of a breach takes a lot more than traditional, tick-box training. We believe truly countering threats requires a unified approach; one that makes use of modern technologies such as AI and innovative cognitive techniques to increase awareness, change behaviour and develop culture for the better.
We also believe that, by taking a unified approach, companies can empower their people not just to avoid threats, but to become an active defence in the fight against cyber crime in their professional and personal lives.