Exterro's E-Discovery & Privacy Breakdown

The world of E-Discovery & Privacy is constantly changing – let us break it down for you with a weekly dose of News, Resources, Case Law, and Humor, all written in a concise and easy to understand format.


The Components of a Great Security Awareness Training Program

Created on June 30, 2021

Director of Marketing, Exterro

Over the course of this year, and especially with the evolution of the COVID-19 pandemic, one of the most-heard topics is Cybersecurity training for your employees. While this is necessary, it can actually be hard to accomplish.

For example, during the training you have to keep your employees engaged and motivated to pay attention. And, you want them to be able to foster a reasonably strong level of cyber hygiene after they have been trained.

The bottom line is that if you lose your employees’ interest in the training, they will also be much less motivated to help you protect your digital assets. In this article, we examine some of the key components that make an “awe-inspiring” cyber training program.

The Components

In order for your employees to remember and put into action what they have learned, it takes a combination of making the training scary, fun, exciting, competitive, etc. Here are some techniques that you can use:

Utilize the concepts of Gamification:

As the name implies, make your training into a game. In other words, it’s like filling in a jigsaw puzzle. You put in some of the pieces, but then motivate your employees to put in the rest. First, you have to introduce them to what you want to teach. For example, it could be about ransomware. In this instance, you instruct them as to how this threat variant actually takes place (no need to get into all the technicalities here—if you do, you will lose them instantly). Then, you engage your employees with simulation exercises in order to garner their interest further. To motivate them even more, you award points and recognition badges after they have successfully completed a particular task. For example, if they successfully detected the beginning of an attack (such as getting a phishing email), you award them with an honorary badge if they take the right steps to mitigate, such as deleting the email and notifying the IT Security team about it. If you use Gamification in your cyber training, it is important to break your employees into teams in order to foster a more collaborative environment.

Make the training relatable:

One of the best ways to make your employees understand the full ramifications of a cyberattack is to actually talk about a real-world scenario. But in order to demonstrate its full impact, you need to relate it in a way that it has impacted somebody that they are close to, such as a coworker. It will make the strongest impression if you can bring the affected coworker in to talk about it. For example, if an employee in your company has become a victim of identity theft, perhaps you can get that person to discuss how he or she found out about it, how it affected their daily life, and the steps they have taken to mitigate the risks of this from happening again.

Make them laugh:

Yes, cybersecurity is a very serious thing, but you know what? Remember this old saying, laughter is one of the best forms of medicine? Recent studies have shown that laughter is also one of the best ways to cultivate a sense of trust and goodwill among your employees in order to help them learn.1 A good way to engender this is to have your employees perform in various funny skits that simulate real-world security breaches. For instance, you can have one play the role of a cyber attacker, while the other plays the role of the administrative assistant. This could mimic a Social Engineering call in which the goal is to wire a large sum of money from the company into a phony, offshore bank account.

Introduce variety:

One of the worst things you can do in a cyber training program is to give a lecture-style format that drones on and on. This is guaranteed to lose the interest of your employees in the first 10 minutes. So instead, mix up the training program by varying its content. For instance, the first part can be a lecture about phishing email, then a game, followed by a real-life story. With this kind of approach, you can almost bet your employees will walk away after the training with a much better sense of how to identify a phishing email, and the corrective steps they need to take if they get one.

Make videos:

At the end of the cyber training, one of the best ways to recap the major points is to put them into a video, which can also add more variety. It is important to keep this video short, no more than 4 to 5 minutes in length. The video should not be someone just talking, it should be engaging as well. As an example, use cartoon-like characters in order to keep your employees’ interest.

It is very important to remember that Cyber Training is not just a one and done deal. You need to keep having these kinds of programs on a regular basis in order to keep your employees’ level of Cyber Hygiene its highest. So remember these pointers:

  • Have your training sessions once a month or at a minimum once a quarter.
  • Keep them no longer than one hour in length. After that, you are guaranteed to lose your employees’ attention span.
  • Make sure you are reinforcing the concepts you have been teaching. For example, from time to time after they have completed their training, execute a mock phishing attack to see how many employees fall prey to it.
  • Make use of metrics in order to quantify the ROI that your company is getting from the training. This is all that your CIO and/or CISO will want to see, so if you can provide these kinds of numbers, you will have a much better shot in getting more funding for future Cyber Awareness programs.