Building Cybersecurity Culture With Effective Awareness and Training Programs

By AleŇ° Zupan, Ph.D., CISA, CRISC, CGEIT, CISSP

The Nexus  |  Monday, 10 June 2019

Different information sources claim that 90% of cyberattacks are successful because of the mistakes made by information technology users.1, 2 The range of mistakes is broad and includes bad password practices, systems with open vulnerabilities, susceptibility to phishing and spear phishing attacks, risky information sharing practices and more.

As a previous article published in The Nexus stated, cybersecurity culture enables the provisioning of security awareness and training programs.3 Conversely, an effective and efficient cybersecurity awareness and training program contributes to the creation and maintenance of the cybersecurity culture.

An organization may invest significant resources (both financial and human) into the creation of a cybersecurity awareness and training program covering all past, existing and emerging threats. However, the endeavor may be totally in vain unless there is a clear understanding of the population the program is targeting and how those end users learn. What is a portrait of today’s typical learner?

Figure 1 shows the characteristics of a modern learner according to a recent study.4

Figure 1—Characteristics of a Modern Learner

Characteristic

From Where Does It Come?

What Is the Consequence?

Overwhelmed

The intensive work demand and information overload.

On average, only 1% of the working week is reserved for training.

Distracted

Too many communication channels with frequent distractions.

Difficult to keep focus; superficial information prevails over in-depth activities and insights.

Impatient

Availability of search engines to quickly locate information on the Internet.

Difficult to keep the learner within the boundaries of internal training framework.

Mobile and untethered

Availability of mobile devices and seamless connectivity; combination of employees, temporary workers, contractors and freelancers.

Difficult to reach out and retain people’s attention.

Collaborative

Availability of social platforms.

People search for information among peers, not from official training frameworks


These characteristics can limit the effectiveness of training programs. However, if known in advance, they can be embedded into the creation of a training program to maximize its impact.

Which old and new wisdom should be heeded to create and manage an effective training program?

There are many instances in which security training programs are created from scratch or redesigned. Frequently gut-feelings and trial-and-error approaches are employed, resulting in poor or mixed success. However, to avoid arbitrary approaches there are some proven concepts that should be considered as a base when creating or updating security training programs.

Repetition

The human memory is not perfect, and people forget information. In 1885, a German psychologist experimentally confirmed 2 facts about remembering (and forgetting):

  1. The rate of remembrance decays exponentially over time.
  2. After each training repetition, the decay rate is reduced and the knowledge is retained for a longer period of time.5

The key finding from this research (whose validity has been reconfirmed many times) is to repeat the training as often as possible, preferably using different delivery methods (modalities).

Grab Learners’ Attention Quickly and Retain It (If Possible)

Years ago, psychologists discovered that humans think in 2 ways:

  1. Fast, instinctively
  2. Slow, giving a subject deep thought6

Considering the behavior of modern learners, the second option is less likely to occur. Thus, training programs should attract the learners and engage them in a matter of seconds.

To accomplish this, effective learning programs should employ methods similar to those used in modern marketing campaigns. These would include, for example, developing a strong brand for the training program (immediate recognition), teaching the learner information and knowledge that can be used immediately (focus on learner success and forget about annual hours-long compliance training), and ensuring post-training repetition (e.g., training and information is easy to find and replay; a common place to interact with other learners and share views or acquire missing pieces of information is provided).

Utilize Different Training Modalities to Maximize Learning Impact

Researchers have determined that learners retain more information when they do rather than just listen, read, or observe.7 Additionally, because today’s workplaces have 3 or even 4 generations of personnel working together, the same training material should be presented in several modalities (i.e., study materials, classroom training, computer-based training, short videos, simulations and hands-on experience) to be inclusive of different preferred learning styles and delivery methods.

Measure Progress

No program can be efficiently managed without appropriate measurement criteria in place. One of the best frameworks for measuring the effectiveness of awareness and training programs is the 4-stage Kirkpatrick Model.8 This model measures the following:

  • Reactions—Participants’ first reaction after exposure to the training.
  • Learning—Amount of information that is absorbed during the training.
  • Behavior—How training has impacted the behavior of participants.
  • Results—Impact of the training at the business level.

These measurements should be consistently collected and used to create the next “waves” of the training program, as described in the next section. When setting up the measurement system, start with goals at the business level and then work down to define appropriate measures for behavior change, learning effectiveness and learners’ reactions.

Creating an Effective Program

Several proven concepts and practices for developing training programs have been discussed herein. To build a successful training program, practitioners should combine those concepts and practices, for example:

  • The program should be continuous and repetitive. For the sake of the enterprise it is best to launch new topic areas in waves. This allows the learners to focus on a certain topic and at the same time allows the team that prepares the training to focus on one topic at a time (figure 2).
  • The delivery of the training content should come in different modalities, from traditional ones (e.g., classroom training, computer-based training) to more advanced modes (e.g., short videos, simulations). Training should cover a wide range of learning modes (e.g., listening, reading, observing, doing) and delivery channels (e.g., on-site, computer, mobile training while out of office and on the move).
  • Social platforms allow interactions within communities, peer learning and quick retrieval of previous training. The discussions should be carefully moderated by dedicated or part-time employees whose objective is to maintain the cybersecurity culture through maintenance of the community.
  • All components of the training plan should be branded to ensure that the learners know that the information in the training (or any other piece of information) is coming from a trusted source and is correct, valuable and immediately applicable.
  • Measurements should be performed at each point of the program (e.g., how many training initiations and completions, how many posts and interactions, reaction to phishing attacks [clicks, reported suspicious content]). Additionally, quizzes and surveys provide further learning opportunities and feedback collection.

Figure 2—Wave-Based Cybersecurity Awareness and Training Program

Source: BrightStar Consulting, Internal Cybersecurity Awareness and Training Program Methodology. Reprinted with permission.

Additionally, as figure 2 demonstrates, a wave-based scheme is flexible: On one hand it allows for the arbitrary selection of awareness and training delivery methods for each wave and on the other hand it ensures continuity through social platforms, where training materials and immediate responses from the community are available at any time.

Building such a program is not a simple project and it cannot be done overnight. It is more like a journey that is shaped by the cybersecurity culture and, in return, shapes the cybersecurity culture of the enterprise.

Aleš Zupan, Ph.D., CISA, CRISC, CGEIT, CISSP

Is an experienced IT executive with more than 20 years of experience in large global telecom and pharma corporations where he held positions as Chief information officer (CIO), head of IT governance, risk and compliance (GRC) and cybersecurity awareness and training manager. Today, he works as an international management consultant focusing on GRC topics including cybersecurity and cybersecurity awareness and training programs. He operates out of Ljubljana, Slovenia, and can be reached at ales.zupan@brightstar-consulting.com.

Endnotes

1 Kelly, R.; “Almost 90% of Cyber Attacks are Caused by Human Error or Behavior,” Chief Executive, 3 March 2017
2 Adeola, A.; M. O'Connell; “Cyber risk: It's a People Problem, Too,” Willis Towers Watson, 25 September 2017
3 Alvarez-Dionisi, Luis Emilio; Nelly Urrego-Baquero; “Understanding and Implementing a Culture of Cybersecurity,” The Nexus, 13 May 2019
4 Tauber, Todd; Wendy Wang-Audia; “Meet the Modern Learner: Engaging the Overwhelmed, Distracted, and Impatient Employee,” Bersin by Deloitte, 26 November 2014
5 Ebbinghaus, Hermann; Über das Gedächtnis. Untersuchungen zur experimentellen Psychologie, Verlag von Duncker and Humbolt, Germany, 1885
6 Tversky, Amos; Daniel Kahneman; “Judgement under Uncertainty: Heuristics and Biases,” Science, 1974
7 Dale, Edgar; Audiovisual Methods in Teaching, 3rd Edition, Dryden Press, USA, 1969
8 Kirkpatrick, Donald L.; James D. Kirkpatrick; Evaluating Training Programs: The Four Levels, Berrett-Koehler, USA, 2012