Most employees and even many security professionals would likely agree that security training content is boring. In fact, people often assume that corporate training materials, in general, are inherently boring—and need to be that way.
So we’re not surprised that many potential customers approach us with the belief that their employees need to be ‘force-fed’ training content. Others have resigned themselves to achieving low content viewing rates—as low as 15 percent in some cases. In both cases, we say the same thing: it is possible to give your employees the freedom to choose what they learn during security training while still generating high levels of engagement.
And it all starts with understanding the basic principles of employee engagement and how they pertain to your security training content.
What is Engagement, How is it Measured, and Why Does it Matter?
Much has been written on the subject of engagement, so we aren’t going to attempt to provide a comprehensive overview in this post. Instead, we’ll focus on how it applies to cybersecurity professionals like you.
When it comes to security training, we define engagement by the willingness of employees to go beyond merely viewing the content. When employees are truly engaged in training they interact with the materials instead of ‘going through the motions’ to comply with a requirement. In more concrete terms, we measure engagement by tracking the number of times an employee visits a page before moving to the next one and compare it to the estimated time required to consume the content.
In our experience with the training content we’ve developed, a page that takes on average 30-50 seconds to consume has a median dwell time of 30 seconds or longer, with recurring visits stabilizing around a mean of 20 seconds. These results indicate that our customers’ employees willingly read the most significant parts of the content. It’s a good metric to determine if the content is both relevant and engaging.
After reading this, you still may wonder why employee engagement matters, especially if your subsequent phishing simulations generate lower clickthrough rates. Simply put: engaged employees are far more likely to retain the knowledge they’ve gained during training, while bored employees are apt to tune out the message you’re trying to get across to them.
The Rules of Engagement
In the marketing world, the phrase ‘content is king’ has been repeated many times. But we believe this overused expression contains an essential truth that applies to security training just as well as it does to marketing campaigns.
Engaging and effective content appeals to consumers—and when it comes to training, your employees are consumers. They are people with different drives and motivations who will have unique reactions to the content you prepare for them. Experienced security content creators recognize that employees can’t be forced to engage with training materials, just like savvy marketers understand they can’t compel consumers to buy the products they are advertising.
With this in mind, we’ve come up with three simple rules for crafting engaging content:
Rule #1: Relevancy. Imagine this scenario: Shirley receives an email about owing a debt to a company she’s never heard of, clicks the link, and finds herself staring at a set of slides about the dangers of phishing. A worthwhile message, but one that’s likely to be lost on Shirley, who only wants to go about her workday.
The rule of relevancy is that the content has to fit the phishing simulation: it must be contextual, concrete, and actionable. If we’d followed this rule in our scenario, Shirley would have been presented with a much simpler, more direct message: “This is how you could have known the email was a phishing scam.” If she wants further information, we’ll provide it to her—but only after we’ve communicated the essential points.
Rule #2: Adaptability. In our second scenario, Shirley (poor Shirley!) falls for another simulation: an email about low-priced plane tickets. Once again, she clicks the link and is shown a slide deck about the importance of security—the very same content she viewed in our first example. She thinks to herself: “I know this already. Sure, I’ve made some mistakes, but nothing is new here.” She then closes the browser tab and gets back to her work.
The rule of adaptability is that content should achieve consistent learning objectives without being repetitive—it must change to some degree every time it is presented in order to sustain employee interest and engagement. If we’d followed our second rule, Shirley would have found a message telling her something like: “Sorry, there are no bargains here” before presenting her with a different version of the training content.
Rule #3: Brevity. Let’s stop picking on Shirley for a minute and turn our attention to Jason, one of Shirley’s direct reports. Jason’s a busy guy who doesn’t have much time to read long articles or blog posts. But when he receives an email from ‘HR’ with the subject, ‘A special notice for all employees,’ he immediately falls for it.
When he gets to the training, the icon letting him know he’s viewing the second of 21 slides leads him to decide there are better things to do with his time. He believes in the importance of security, but it’s a busy time in his department and barely a minute can be spared.
The brevity rule is simple: content must be short and to the point. A good rule of thumb: if the core message can’t be understood by an employee within a minute, the content is too long. If our content was created with this rule in mind, Jason would first skim the page, understand it’ll take him only a minute, and read through it before going back to business as usual.
We believe employee engagement is a good indicator of how well your security training is performing. We don’t want our customers’ employees to watch our training simply because someone told them they have to—we want them to do so because they think it’s actually worth their time. And while it’s probably an unreasonable goal to expect your employees to see training as a ‘joyful’ experience, it’s more than possible to have them emerge from training better informed and more aware of potential security threats. And what better reward is there?