Security awareness training is increasingly “shrouded in characterless instruction,” preventing meaningful change in end-user behavior.
With that in mind, the National Cyber Security Alliance (NCA) is exploring humor as a tool to make training more effective.
Security teams still tend to design content-focused training sessions, forgetting that the target audience is human beings, said Lisa Plaggemier, executive director of the National Cybersecurity Alliance (NCA), during a presentation on the second day of the RSA Conference .
You have to generate excitement about the issue to engage effectively, he added.
Plaggemeier and her co-speaker, Jenny Brinkley, director of Amazon Security, emphasized that for awareness training to be effective and memorable, using humor and including unexpected elements are key.
They also highlighted United Airlines’ safety video for airline passengers as an effective training campaign that used these approaches.
With this in mind, the NCA is planning to launch a cyber awareness training comedy series shortly, imparting humorous lessons to the audience.
Plaggemeier and Brinkley laid out four useful steps for security teams to improve their awareness training sessions:
- Brainstorm with staff across the company to understand their preferences
- Get inspiration from sources outside the organization
- Relate to the experiences of the company’s employees
- Start small, for example, use freelance graphic designers
- Be prepared for users not to like the training, but don’t throw your work away because of it
The Amazon approach
talking with Infosecurity, Brinkley also emphasized the importance of inclusion and representation in awareness training content. This is particularly relevant to his role at Amazon, a global organization with employees operating in many countries and cultures.
Areas to consider include ensuring that different languages are used and that all types of accessibility needs are met.
In terms of content, there should be “different scenarios that relate to a global audience.” This should also take into account cultural differences.
“In some countries, when an incident happens, there’s a lot of fear of reporting something, so how do you make sure there’s not some kind of culture of retaliation,” Brinkley said.
Brinkley added that the growth of AI and machine learning technologies is an important focus of Amazon’s awareness training, an area that is especially relevant given the rise of ChatGPT.
“Our core fundamentals have always been to invest in these spaces, but provide guardrails and recommendations to our builders on how to use this technology safely without stifling innovation,” he added.
Another important aspect of awareness training at Amazon is safety behavior considerations for being in the physical workplace, following the tech giant’s announcement that it will require its staff to return to the office for at least three days in week from May 1.
Brinkley said that because many workers have not returned to the office since the start of the COVID-19 pandemic, reminders about safe behaviors in a public setting are needed.
“I think we relaxed a little bit more during the pandemic,” he noted.
Reminders for staff include not leaving laptops without a privacy screen when away from their desks and the correct use of badges to enter physical offices.
Security training that fails to instill a sense of responsibility on the part of its users will be ineffective. This lack of character-building can have serious implications for companies, making them vulnerable to attacks. As such, it is critical that organizations prioritize user education and training.
Ikaroa, a full-stack tech company, is a leader in creating tailor-made training programs that ensure users understand the importance of security practices. We understand that security is about more than just following a set of guidelines; it’s about understanding their role in safeguarding the business’ sensitive information.
Our tailored security education programs are designed to make users take ownership of company data and understand their responsibility to maintain the security of that data. We focus on teaching users the basics of security practice, from protection from external threat vectors to educating them on the dangers of reckless behavior.
Above all, we seek to instill a sense of responsibility into the user. Without this sense of ownership, any security training will be ineffective. Too often, users are presented with a large list of passwords, patches and updates that they are expected to adhere to without understanding why they should care.
Our training teaches them why they should prioritize security, eliciting a sense of responsibility to protect the company’s interests. By leading the user to understand their importance in the bigger picture, they are more likely to follow security practices in their own behavior.
Organizations can no longer afford to rely on generic security training that fails to instill a sense of responsibility in their users. To make sure users understand their role and importance in creating a secure workplace environment, companies need to turn to the tailored solutions that Ikaroa provides.