Security awareness programs are seen an effective way to manage cyber threats. But making cyber security training engaging is not necessarily an easy thing to do. All too often, employees will associate education with boring lectures or rote learning experiences from their school days. But it doesn’t have to be like this. Security Awareness Training can be performed in such a way that it both engages employees and empowers them.
5 Ways to Improve Security Awareness Engagement
Any teacher will tell you that a class that is disconnected from the learning experience is a class that does not learn. Education is all about making connections with the learner. How to make these connections has been the stuff of debate for centuries. However, certain tenets of engaged learning have been realised from tried and tested techniques. By using certain tactics, employee engagement can be achieved.
Here are the MetaCompliance five key methods in successful security awareness program engagement.
- Team spirit
Personalise: Focus an Employee’s Mind on Security
Adding a personal context to something tends to focus the mind of an individual and connect them to the subject. Security Awareness Training offers modules that take an employee through certain scenarios where a security threat exists. Make these modules personal to the employee. For example, take an employee through a typical internet use scenario they might use in everyday life. This can include social platforms, data sharing, online account creation and use, etc.
Use the personal side of online life to demonstrate important security threat indicators and how to spot potential threats. Make links between how to improve personal security using measures such as two-factor authentication and data sharing awareness and weave these into a corporate setting.
The connection between personal and business life will bring security awareness into the office, with the personalisation of security threats helping to make the lesson stick in an employee’s mind.
Team Spirit: Make Security Awareness a Team Sport
Many people learn well within a team environment. A cohesive team can be encouraging and help with engagement, especially with complex or dry topics like cyber security.
Research has shown that ‘prestige’ learners, aka, people who are held in high esteem or shown to be good at something, can be useful in helping others in a group to learn. Create a security awareness team spirit and include those with the most rewards, or popular colleagues, within those groups.
Compete: Make Security Training a Competition
Pitting teams against each other can also help to engage employees in learning about security. Add a prize or two to the competition, and then you can ‘let the games begin…’.
Taking advantage of the human competitive spirt is a great way to keep employees engaged in a security awareness program. Security awareness competitions can take the form of different types of security attacks, e.g., a social engineering game where Team A actively changes tactics to trick Team B into doing their bidding. Escape room type security awareness competitions can also be entertaining, fun, and effective.
Gamify: Make Security Awareness Interesting
No one likes to sit through boring lectures on a topic they don’t see as relevant to themselves. Make Security Awareness Training sessions interesting. Many security awareness programs now include interactive training videos that provides interesting storylines that engage employees.
Using ‘gamified’ security training sessions is more successful in making security knowledge stick. As Gabe Zichermann said in his book ‘The Gamification Revolution’, “Gamification is leading the charge to radically change industries by making it more fun and ultimately more effective at building a strong, happy, and better engaged community”. Zicherman describes mechanisms such as making tasks personal and having meaningful incentives, which will encourage positive behaviour and good outcomes.
Reward: Make the Security Awareness Program Rewarding
We all love to be rewarded for a job well done and Security Awareness Training is no different. Security awareness programs typically use a series of tasks, quizzes, and systems such as phishing simulations, all of which offer an opportunity to reward security-positive behaviour.
If individuals (or departments) do well, reward them. Rewards can take many forms and can be as simple as a verbal “well done!” to a certificate for an office wall, or a small gift card for coffee and cake. Some companies even offer cash incentives; after all, employees who do well in these exercises will be actively protecting your company from expensive threats such as ransomware.
Continued Engagement in Security Awareness
With the costs of cyber attacks such as ransomware spiralling, it is a vital to de-risk cyber attacks by any means: Security Awareness Training is part of the overall security strategy of an organisation that takes security seriously.
However, to make the security education effective the delivery of the program must be engaging. Use the MetaCompliance five ways to make your security awareness program engaging to ensure that employees listen and understand the importance of security awareness in the workplace.