5 Tips to make your Cyber Security Awareness Programme More Effective

1) Rationale for the Training – Your participants should understand the rationale behind cyber and information security training. In fact, this is a crucial step. They should be informed (in the nicest way possible of course) of the ramifications of a cyber-breach incident. Some participants may hold the belief that their organisation would not be a target. Or, they might simply believe that a cyber attack would just entail the restoration of company data from backup servers and everything will be ok. Participants need to be informed of the reputational, financial, and operational costs of a cyber attack on their organisation. 
 
2) Tell Stories – According to neuroscience, the brain does not store facts, ideas, or experiences like a computer. Instead, it embeds them in networks of perceptions, facts, and thoughts. This is why storyteling or case studies are so important. If used correctly, stories of peer organisations that have been compromised paint a rich, vivid, and memorable picture for your audience. You take them from a mindset of “that could never happen to us” to “that could happen to us”.
 
 3) Be a Mixologist – This may sound counter-intuitive but mixing up cyber security topics actually makes for more effective learning. (And yes, empirical evidence from learning effectiveness studies backs this up). For example, if talking about phishing, don’t just treat the subject as something that happens over email. Throw in some examples from other channels such as Slack and SMS. And then include some content about device security. In learning theory, this process of “mixing-up” content is called interleaving. This is a powerful technique because it prepares the brain for the unexpected. Seeing something out of place wakes up the brain and encourages deeper processing. In other words, interleaving prepares the brain for curveballs. That’s exactly what we want in effective cyber security awareness training. Because the “surprise factor” is a major chapter in the cyber criminal playbook.
 
4) Use Both Words and Images – According to several empirical studies, the learning process is greatly enhanced when it’s not just about words but also visuals. This process is known as dual-coding. This is one of the reasons why memorisation techniques such as mind mapping are so effective. The brain processes the information using both words and images. For example, when conducting cyber security awareness training, the mechanism of how malware infects a computing device might be difficult for some participants. However, put that same information in a flowchart format and it becomes much more digestible and memorable.
 
5) Get your Employees Involved – Cyber security awareness training should not be a passive process. Participants need to put what they’ve learnt into action. Here at SecureClick we use our CyberGame, where participants are put into groups and asked to devise a plan to socially engineer an employee at one of their peer organisations. Assuming that you’ve executed your instructor-led or e-learning methodology properly, your participants will surprise you here. You will see them put into practice (on paper at least) social engineering concepts and cyber criminal tactics that were covered during the training. This greatly aids in the synthesis and memorisation of information. But something else very important happens here too: participants will hear some of the ways an employee could be socially engineered from a peer. The process of peer-to-peer learning deepens understanding because employees listen to their peers. It also adds an element of peer pressure to engage with the content.