How Can I Get Employees to Engage with Security Content?

How do you know if your security awareness training is making a difference? Effective learning can only be shown by a change in employee behavior, and when it comes to cybersecurity that isn’t always easy to promote.

You want your employees to engage with your content, but the truth is that this can’t be forced. After all, the very word ‘engagement’ implies that users want to get involved and so they need to opt-in.

Showing Employees That They Have a Security Gap

The first step is therefore to create an awareness program that works for the users, and that they want to engage with. For that to happen, they need to recognize that they are bringing risk to the organization and that they need security awareness training in the first place.

This is actually harder than you might think, as security is not an area in which employees see their mistakes. Compare security to other areas of the business. In DevOps, you run a line of code that either works or doesn’t. In Marketing, you create a social media campaign that either receives interaction or falls flat.

However, when it comes to Security, you’re dealing with a much weaker learning environment. There is no instant response if employees get it wrong, they could click a phishing link and then continue with business as usual. In fact, there’s no way of knowing whether you’re sitting in the quiet comfort of a tight ship, or the silence that signals the eye of the hurricane.

Your security awareness training needs to challenge this naturally weak learning environment, and instead show employees that they have something to learn.

Creating the Right Environment for Learning

Secondly, your training needs to create the optimal environment for users to engage with your content. We call this ‘just-in-time learning.’ Let’s think about a normal situation that everyone has experienced. You’re walking down the road, and suddenly, you trip. After getting up and dusting yourself off, what’s the first thing you’d do?

Most people would say that they would immediately look behind them, or look down, to see what they tripped on, and why they fell over. This is the brain’s built-in learning mechanism, and we all have it. It’s triggered when something goes wrong, whether that’s making a mistake, or after a negative experience. It’s a reflex, and it’s only there for a few seconds at most.

If I offered you a training course where you can learn how not to fall over, with key insights such as “Be careful of curbs” or “Avoid slippery surfaces”, this would be almost useless – a waste of your time. And yet traditional security awareness training programs do exactly this, utilizing theoretical learning methods at set points in time, offering advice such as “Don’t click on unsafe links.” In contrast, those few seconds after an event, that is when we learn to change our behavior for the next time.

This is why Security Awareness Training works best when it’s attached to the event itself, and that’s why at CybeReady we utilize ‘just-in-time’ learning in our platform. If an employee clicks on a dangerous link, they will immediately receive feedback that can show them what they did wrong, and how they could avoid it for next time. Boom – you’ve turned a weakened learning environment into one with immediate feedback, AND you’ve triggered the innate learning mechanism, giving your employees the best chance for growth.

Encouraging Your Users to Engage with Your Content

Of course, it’s natural that security teams want to know that all of the content is being read, and to feel in control over the absorption of the training that they provide. For many companies, this is a hard hurdle to cross. But remember, forcing employees to read or engage with content is no indication that they are learning.

That’s why at CybeReady we measure behavior rather than focusing on “passive” metrics such as pages read. Rather than assume that employees are low-risk because they have been given a certain amount of learning material that actually they couldn’t relate to, we look at their real-world behavior and know for certain whether actual learning has taken place.

That’s not to say that you can’t create training content that appeals to user engagement. By providing the freedom to learn or not learn, you can trigger curiosity which promotes the feeling that this is what the user wants to be doing. You can also offer your training in a format that is proven to work well, in short, consumable ‘bites’ that are easy to read and absorb.

Lastly, make sure to offer these short ‘bites’ frequently enough (at least once a month) and where it’s convenient to employees, as a part of their work routine, which will also increase engagement. We do this by sending training directly to their inbox so they access it during their working day like any other correspondence, as opposed to sending staff to sign up for an external course. In this way, employees can choose to consume the content when it’s convenient for them.

Still wondering how to engage your employees? Read the full video transcript here:

The first rule is just-in-time training

Let’s face it. Nobody likes to consume security awareness content. The problem is that security awareness programs are not employee-centric. They do not put the employee of the organization at the center of their planning. Now, what does it mean to create an employee-centric security awareness program? It means following three rules. The first rule is just-in-time training. You need to provide the content when it’s the right time for the employees. The shorter it is, the more chances will be the right time. It has to be digestible. Employees need to be able to identify easily and quickly than they can consume the content and that it’s relevant to them.

Stop chasing employees

The third rule would be that employees need to have the option to engage or disengage with the content. Stop chasing employees. Chasing them only sends the message that the content is boring, it’s not at the right time, and not digestible. The alternative to chasing employees is to build a continuous training program that provides multiple opportunities throughout the year for employees to engage with the content and also accepting the fact that not all employees will engage with all the content all the time. The fact that not all of your employees read Wikipedia from start to end doesn’t mean they don’t know anything. Everybody consumes parts of the content.

You don’t need everyone to know everything

If you want to change your organizational culture and create a culture of security, you don’t need everyone to know everything. You need everyone to engage with security throughout the year, with parts of it. What parts? The relevant parts. The parts that were at the right time, meant something for them. If everyone engages with security content positively throughout the year, you’ll have a security awareness culture in your organization.

If you’re an InfoSec leader looking to create a Security Awareness Program that is truly user-centric and engages your employees – let’s talk.

Author:
Omer Taran
March 11 2021
4a34e52d-562b-4e1e-8b71-5c005a7559a9