Exterro's Legal GRC Breakdown

Get your daily dose of news, best practices, and technology from Exterro's e-discovery, privacy, and digital forensics experts here.

< BACK TO ALL STORIES

The Components of a Great Security Awareness Training Program

Created on September 2, 2022


Director of Marketing, Exterro

Over the past couple years, in light of the surge of hybrid and full-time remote workers, organizations have put renewed interest in cybersecurity training for employees. With all the trends in cybercrime pointing toward more frequent and more costly incidents and data breaches, there's a real incentive to making sure your training is effective. But unfortunately, it can actually be hard to accomplish the goal--especially remotely. 


For example, during the training you have to keep your employees engaged and motivated to pay attention. After all, you want them to maintain a reasonably strong level of cyber-hygiene after they have been trained. The bottom line is that if you lose your employees’ interest in the training, they will also be much less motivated to help you protect your digital assets. In this article, we examine some of the key components that make an “awe-inspiring” cyber training program.

The Components of a Successful Security Training Program


In order for your employees to remember and put into action what they have learned, you need to make the training scary, fun, exciting, and competitive--all at once. Here are some techniques that you can use:


Use the Principles of Gamification


As the name implies, make your training into a game. In other words, it’s like filling in a jigsaw puzzle. You put in some of the pieces, but then motivate your employees to put in the rest. First, you have to introduce them to what you want to teach. For example, it could be about ransomware. In this instance, you instruct them as to how this threat variant actually takes place (no need to get into all the technicalities here—if you do, you will lose them instantly). Then, you engage your employees with simulation exercises in order to garner their interest further. To motivate them even more, you award points and recognition badges after they have successfully completed a particular task. For example, if they successfully detected the beginning of an attack (such as getting a phishing email), you award them with an honorary badge if they take the right steps to mitigate, such as deleting the email and notifying the IT Security team about it. If you use Gamification in your cyber training, it is important to break your employees into teams in order to foster a more collaborative environment.


Make the Training Relatable


One of the best ways to make your employees understand the full ramifications of a cyberattack is to actually talk about a real-world scenario. But in order to demonstrate its full impact, you need to relate it in a way that it has impacted somebody that they are close to, such as a coworker. It will make the strongest impression if you can bring the affected coworker in to talk about it. For example, if an employee in your company has become a victim of identity theft, perhaps you can get that person to discuss how he or she found out about it, how it affected their daily life, and the steps they have taken to mitigate the risks of this from happening again.


Make the Trainees Laugh

Yes, cybersecurity is a very serious thing, but you know what? Remember this old saying, laughter is one of the best forms of medicine? Recent studies have shown that laughter is also one of the best ways to cultivate a sense of trust and goodwill among your employees in order to help them learn.1 A good way to engender this is to have your employees perform in various funny skits that simulate real-world security breaches. For instance, you can have one play the role of a cyber attacker, while the other plays the role of the administrative assistant. This could mimic a Social Engineering call in which the goal is to wire a large sum of money from the company into a phony, offshore bank account.


Use a Variety of Styles


One of the worst things you can do in a cyber training program is to give a lecture-style format that drones on and on. This is guaranteed to lose the interest of your employees in the first 10 minutes. So instead, mix up the training program by varying its content. For instance, the first part can be a lecture about phishing email, then a game, followed by a real-life story. With this kind of approach, you can almost bet your employees will walk away after the training with a much better sense of how to identify a phishing email, and the corrective steps they need to take if they get one.


Incorporate Videos


At the end of the cyber training, one of the best ways to recap the major points is to put them into a video, which can also add more variety. It is important to keep this video short, no more than 4 to 5 minutes in length. The video should not be someone just talking, it should be engaging as well. As an example, use cartoon-like characters in order to keep your employees’ interest.


It is very important to remember that Cyber Training is not just a one and done deal. You need to keep having these kinds of programs on a regular basis in order to keep your employees’ level of Cyber Hygiene its highest. So remember these pointers:

  • Have your training sessions once a month or at a minimum once a quarter.
  • Keep them no longer than one hour in length. After that, you are guaranteed to lose your employees’ attention span.
  • Make sure you are reinforcing the concepts you have been teaching. For example, from time to time after they have completed their training, execute a mock phishing attack to see how many employees fall prey to it.
  • Make use of metrics in order to quantify the ROI that your company is getting from the training. This is all that your CIO and/or CISO will want to see, so if you can provide these kinds of numbers, you will have a much better shot in getting more funding for future Cyber Awareness programs.

With more and more organizations adopting Zero Trust principles, make sure you're ready to conduct investigations into the inevitable incidents that will arise.