Interview: How to Avoid Boring Cybersecurity Awareness Training 

KnowBe4’s Javvad Malik discusses results of a survey carried out at Infosecurity Europe examining cybersecurity awareness training

During Infosecurity Europe 2023, KnowBe4 surveyed attendees who visited at their stand to ask them about cybersecurity awareness training.

KnowBe4 published the results of the 220 people they surveyed and found that organisations are potentially at risk of a cyber incident due to irregular security awareness training. 

Infosecurity spoke with Javvad Malik, lead security awareness advocate at KnowBe4, about the findings.

Infosecurity Europe: You found that half of respondents admit that their organisations only conduct security awareness training once a year or once a quarter. What are the issues when training is carried out less frequently?

Javvad Malik: The challenge with training is it's unlike computers, you can’t patch someone like you would a patch a system. You can’t just tell someone to do something once. You must look at behaviour change; it happens through constant repetition and reminding people.

When we talk about security and awareness training, people often get scared and they think that means you have to give staff a half hour training module or lock them in the room for 45 minutes and bribe them with coffee and doughnuts. Instead, it could be something like a screensaver that pops up and reminds people of that behaviour that you’re training to reinforce.

It’s a bit like when we drive our cars and you see repeating signs on the road – you could say well you passed your test, you should know which lane you need to be in etc., but we still have road markings and signs on everything. It’s that constant reminder because as humans we forget or get distracted and that’s what criminals are relying on.

IE: You found 26% of organisations are running a ‘one-size-fits all’ approach. Why should organisations tailor their training?

JM: Some of this comes down to understanding your staff and giving them options. What we see is that from a compliance point of view you can just say ‘ok, here’s this big piece of training, everyone go and do it’ but if you understand who your teams are their functions you can begin to break out and say here's the HR department, here’s accounts, here's finances. Within that, say someone for fails a phishing test three times, you can put those people into a smart group called repeat failures or something and then you can say okay, why are they failing? Maybe we need to give them something else to do. This is something that the KnowBe4 Smart Groups function can offer within the active directory.

Using KnowBe4s Security Coach you can also carry our micro interventions to a micro training type of platform. For example, as someone plugs in a USB drive, you can then direct them to a bit of content micro content to say, ‘hey, do you know this is risky.’

This is really where automation in your training programme is key because if you’re trying to do that manually, it’s going to be very difficult.

[KnowBe4’s survey found that of the companies that did tailor their security awareness training, 46% modified training according to department, 25% adjusted it by personality type/learning style, and 25% adapted it by seniority.]

IE: 27% of respondents said their current programme was too boring. How can companies make their programmes more attention-grabbing?

JM: I think that there’s a couple of things in this. One is if you're too patronising or dull, you’re never going to capture people's attention. Sometimes, security people are obsessed with being right. It's almost like we have to tell them that we're right and we understand everything better than you do.

If you move away from that training mindset and move more into a marketing mindset of ‘okay you're a smart person, you can join the dots together, I don't have to be patronizing towards you’ and I can deliver something that's maybe more bite size and engaging, that's where people really latch onto it.

Also, not everything needs to be a hard, enforced, technical control. Look at something like recycling in the office – you normally have two or three bins, there's nothing forcing people to separate their waste, but just having those bins next to each other, clearly marked out, encourages people to do the right thing. People want to do the right thing; it’s just whether we make it easy for them or not.

People would adopt strong passwords if they had an easy way to go about that or it's nicely integrated and they weren't constantly having to reset their passwords after holidays etc.

Additionally, when thinking about making it engaging consider social media; you see people on TikTok and they do a great job to get an entire story into 30 seconds. Those are some of the things we should be incorporating as that’s how people are used to consuming information. They don’t have the attention span to sit and watch a 10-minute video.

There’s also a point about outdated content [22% in the survey found their content to be outdated] and studies have found that if you see the same bit of training content twice you feel like it is outdated, even if you don't remember the content. That's why having that bigger library or extensive content pack is so important.

Finally, the other part is the timing. For example, with my six-year-old, I've been teaching him about how to cross the road safely. We're doing the green cross code and it's one of those things you want to do at the time of crossing the road.

There's no point in me being at the dinner table saying to him ‘here's how you cross the road safely’ because it's not relevant for him at that time, he's going to forget it by the time he gets to the road. The intervention should happen close to the time and relevant for them at that point. That’s what makes it really powerful and it'll stick as a learning point. 

IE: Finally, what are your top tips for implementing a great security awareness programme?

JM: I'd say before you do anything it's important to build, a good relationship with your colleagues across the organisation. Have them understand why you need the help and how everyone's participation is so important.

Also, figure out what some of the common pain points are that people experience. Then let them know that you might be starting to do some simulated phishing tests and the reason you’re doing it. Explain that this is a collective effort to make this thing better.

Step number one is just to get people on board and not feel like the security team is trying to trick us, they're wasting our time now.

The second thing is focus on your key risky behaviours, just a couple at a time. Don't try and make everyone learn all the different content that you might have because that will just overwhelm and confuse them.

Third, I think it's important to remember we're not trying to make everyone a security expert. The objective is to raise people's spider senses so that when they see a suspicious email, they know to report it. Then there's a loop there where the security team can feed back to them whether it was an actual phishing email or a false positive. Either way, thank them for their help and reinforce that first step that you're helping us all stay secure. 

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?