Finding ways to engage your staff with cyber security training can be difficult but it doesn’t need to be. One of the best ways to educate staff and ensure key messaging is retained is by introducing the concept of storytelling in Security Awareness Training.
Storytelling is one of the most powerful ways to breathe life into your cyber security awareness campaign. Let’s face it, cyber security can be a dull topic but it’s vital you find ways to engage your staff if you want to positively impact behaviour within your organisation. The message is just too important to get lost in formal, corporate communications.
Stories are fundamental to the way people learn; they help create an emotional response that makes it easier to remember what’s being taught. Cyber security messaging can be brought to life, making it more relatable and real to people in their everyday lives. By making the story relevant to the end-user, you greatly increase the chance of that person retaining the information, therefore improving the overall security posture of your organisation.
The Power of Storytelling in Cyber Security Training
Research by Dr Paul Zak, a professor of economics, psychology, and management at Claremont Graduate University, found that compelling stories cause oxytocin to be released in the brain, which affects our attitudes, beliefs, and behaviour.
Oxytocin is produced when we are trusted or shown kindness, and it motivates cooperation with others. It does this by enhancing empathy, our ability to experience other people’s emotions. It’s this sense of empathy that moves people to take action or buy into a specific idea.
His research also found that character-driven stories with emotional content result in a better understanding of the key points, enabling a better recall of this information at a later date. In terms of making an impact, this goes way beyond the capabilities of a standard PowerPoint presentation.
If we listen to a PowerPoint presentation, certain parts of the brain get activated. Scientists call these regions the Broca’s area and Wernicke’s area. These are the language processing parts of the brain that interpret written words.
However, when we’re told a story, not only are the language processing parts of our brain activated, but any other area in our brain that we would use when experiencing the events of the story are too.
Incorporating Storytelling in Cyber Security Awareness Training
If Security Awareness Training is to resonate, staff need to fully understand the real-world consequences that a cyber attack could have on your business. Using stories and examples of real-life data breaches, you can start to paint a picture of just how easily your organisation could end up in the same situation.
Some of the biggest data breaches in recent history have resulted from a single phishing email, so your employees need to understand just how easily an attack can occur and the damage that could ensue from a simple error on their part.
By creating a compelling story, you can explain what risky behaviour looks like, what type of information attackers are looking for, common attack methods, and how devastating an attack could be on your business.
Put simply, your Security Awareness Training needs to start with a captivating human story that your staff can relate to. By bringing the subject matter to life, you will dramatically improve the retention rates of key cyber security messaging.
Top Tips for Effective Storytelling in Cyber Security Training
- Know your audience: To create a compelling story, you need to know your audience. Who are you trying to reach and how can you make the story relevant to their role? By taking the time to evaluate your audience’s needs, you will be able to craft an interesting story that will answer their questions and concerns surrounding the topic in question.
- Establish your goal: What do you hope to achieve through your storytelling? Your goal should identify what change you want to make and what message you want your audience to take away as a result of the story. Ideally, the outcomes discussed in your story should relate to the goal of your overall learning.
- Choose your story medium: Whether it’s a blog, article, podcast, video, or eLearning, choose the medium which is most appropriate for your audience and apply the same principles of storytelling.
- Use real examples: There’s no shortage of data breaches, so use these real-life examples to bring your stories to life. This will help educate employees on how easily these cyber attacks can occur and explore the various methods that cybercriminals will use to infiltrate a company.
- Use emotion: Stories activate many different parts of our brains. Transforming simple facts into relatable stories can help create emotions that establish a bond with your audience. A great way to engage your audience is to include the use of a villain. Villains are an essential part of a good story as they help people understand threats. Good vs evil is a story as old as time and in cyber security there’s definitely no shortage of villains!
- Keep it simple: Less is more when it comes to storytelling. Stories don’t need to be long and complex to be interesting. By simplifying your story, you will greatly increase the retention rates of your audience.
- Include a call to action: Your call to action will establish what action you would like your audience to take after listening to your story. Depending on the subject matter, this could be avoiding clicking on suspicious links, creating strong passwords, or staying alert to physical cyber security threats.
