Security awareness training is not a one-size-fits-all solution. While some organizations tailor their training to different departments or seniority levels, it’s not a common practice to adjust based on age group, for example. Since distinct age groups each learn in their own way, however, perhaps the enterprise should take these demographics into account.
When I used to create and administer security awareness training, there were many employees who needed to be put through classes. The thought of breaking them up by demographic was unfathomable. When I think back, however, it probably would have been more effective to optimize the training to different groups.
Is training based on age group the answer? Or are other demographics or characteristics more relevant?
I spoke with Dr. Jessica Barker, co-founder of Cygenta and a recognized leader in the human nature of cybersecurity, to offer unique insight into this complex problem.
One Security Awareness Training Does Not Fit All
In speaking with many security leaders, I’ve found it rare for companies to tailor awareness programs to meet the learning requirements of disparate demographics. This is no different for Barker, who finds that it is only the more mature companies (in security terms) that tailor their awareness programs at all.
“Many companies follow a one-size-fits-all approach, which is not going to be particularly effective,” she said. “We all respond to different hooks when it comes to awareness-raising. Particularly when we are communicating about threats, it is essential to communicate why the threat is relevant to the people we are addressing. A great deal of psychological research shows that if we don’t do that, we lose people.”
But let’s face it: Separating training groups by age demographic is probably not feasible for every enterprise.
Perhaps we’re asking the wrong question here, and it’s got less to do with one’s age than one’s personality. According to Barker, the more relevant you can make awareness-raising to your audience, the more likely you are to have higher engagement rates. Personality may just be the missing piece of security awareness training.
“When I do tailor awareness-raising with clients, most will split the organization by roles, so there will be different sessions for the executives, personal assistants, HR, finance, technical teams and others,” Barker said. “This is a sensible approach, because people in different job roles are often targeted with different types of attacks online.”
For instance, employees in finance are more likely to be targeted with CEO fraud, whereas HR professionals might be victims of a spear phishing email with a malicious attachment masquerading as a job application. Cybersecurity training content suitable for executives should be different from that which will most engage developers. By customizing training this way, organizations can better address the varying levels of technical knowledge and experience of their employees.
“Training that is relevant to the participants, which takes into account their level of understanding and experience, is far more likely to have a positive impact,” Barker added.
We Are the (Security) Champions
What piqued my interest most from my conversation with Barker is the concept of champions programs, which offer a disruptive, yet forward-thinking approach to awareness training. She explained that a champions program works in the same way as health and safety programs, in which people who do not work in health and safety — or, in our case, security — for their day job volunteer to be representatives for their department.
These volunteers essentially become the friendly face of security in their department and support the security team in spreading security messages more widely.
“[The champions] also provide the first port of call for anyone in that team who has a security issue or question,” Barker said. “They aren’t expected to have all of the answers, but can help facilitate a two-way conversation between the business and security, as they are more likely to know what messages will have the biggest impact with their team members and how to more effectively engage everyone.”
For example, a champion might get a few moments in the spotlight during team meetings to discuss security issues, using the time to target messaging to the interests of people on their team. Because they know the personalities of their department, they’d know that some may be avid gamers, for instance. In this case, they could include a news story about recent security issues with online games. If there are a few parents of young children on the team, they could include some tips and resources on how to discuss online safety with younger children.
Focus on Empowering, Action-Oriented Security Training
Whether or not you believe champions can work for your organization, or even that you could find a way to train for different groups, I’m a firm believer that cybersecurity training should be adjusted to match learning styles.
And there are many distinct learning styles, Barker explained. Some learn best by listening and talking, others by observing, and still others by getting hands-on with a problem.
“Taking into account all of these different learning styles, and incorporating a mixture of them in your program, will be most effective. Use all of the channels at your disposal. This will make your awareness-raising more effective and engaging.”
In spite of that, many security awareness strategies work well regardless of demographics.
“The most important element, in my experience, is to focus on being empowering,” said Barker. “It’s easy to talk about the threats, but if we really want to change behaviors, then we must be action-orientated. We can’t simply scare people into being more secure; we have to show them how to be more secure, as well as why.”
If employees aren’t feeling empowered, they simply won’t be invested. Barker is right about scaring people; it may work for some employees, but believe me, I’ve tried it, and it yielded minimal success.
One last thing: Any of these strategies will need buy-in from the top. While scare tactics may not work on employees, it might just pay dividends for the C-suite when you demonstrate and quantify the risks of not having a robust security awareness training program. Now that’s a scary notion that can’t be swept under the carpet.