You are here:
  1. Home
  2. News
  3. Blog
  4. 5 proven ways to increase the power of your cybersecurity training

5 proven ways to increase the power of your cybersecurity training

23 April 2018
by 

With each new people-triggered cyber-attack, the human aspect of cybersecurity  receives more attention. The cybersecurity industry is beginning to demand an evolution in cybersecurity training. 


In 2017, researchers from the University of Adelaide published a paper highlighting an interesting finding about the factors affecting cybersecurity awareness within organisations.

The researchers found that, as the reported frequency of security training increased, staff security awareness actually decreased. According to reports, every time organisations held a new security awareness training session with the explicit aim of increasing security awareness, security awareness eroded.

Research increasingly shows that today's cybersecurity awareness campaigns need to change. Few, however, are saying what the changes should look like.

Here are five steps you can take in the right direction.

1. Reward positive behaviours

In the 1930s, the power of rewards was first championed by the psychologist BF Skinner, who studied positive reinforcement in animals. Skinner famously found that rats could be trained to push a lever in response to a stimulus if they were rewarded with food.

Although it might seem simplistic, the same is true of people. Rewarding studying increases academic attainment; rewarding physical activity increases exercise; research even suggests that increasing child support payments (arguably 'rewarding' parenthood) increases birth rates.

Rewards are accepted as motivators elsewhere in the workplace, yet almost entirely overlooked in cybersecurity awareness campaigns.

Should positive security behaviours be discussed as part of performance reviews?

2. Use ongoing testing

The fact that tests are a proven learning aid makes them a feature of most cybersecurity awareness campaigns. But most tests take place immediately after training sessions. Few campaigns continue testing people over time.

In 2008, research examined the effects of testing on two cohorts of students. The first cohort were tested on a subject one week after learning about the subject. The second were tested 16 weeks after learning. Nine months later, the cohort tested after 16 weeks retained more of the learned information than those tested one week after learning, suggesting the effects of testing can be enhanced when tests are delayed.

In our experience we've found tests that take place after training – such as after simulated phishing attacks – can increase security performance, especially when promoted as part of a secure culture.

Today, companies are running repeated security training. We'd probably be much better off running repeated tests.

3. Use stories

Training that makes use of stories instead of simply listing facts almost always increases long-term recall. According to Stanford University research, stories are up to 22 times more memorable than facts alone. In his book The Storytelling Animal, Jonathan Gottschall argues humans evolved to tell and learn from stories.

So let's suppose we want to make users think twice before downloading potentially malicious attachments. We could simply remind them to stop and think before downloading attachments. At CybSafe, though, we favour retelling stories such as that of Dridex (malware spread through attachments that steals the banking information of customers of European banks) to be much more effective at achieving our aims.

4. Use fear wisely

Using fear in awareness campaigns is a contentious issue.

Research suggests that fear can backfire should threats never materialise. It's also true that fear can cause users to act more cautiously when assessing potential threats (so long as they are offered simultaneous advice on how to mitigate threats). The sobering truth is that for just under half of the businesses that took part in the UK government's 2017 cyber-breaches survey, threats have already materialised.

It seems that the effects of real-life examples – discussed as stories – could be bolstered when the stories elicit a healthy amount of fear.

5. Encourage independent learning

According to Malcolm Knowles' theory of adult learning, adults learn best independently. Yet, few of today's security awareness campaigns even facilitate independent learning, let alone encourage it.

Allowing users to access training material whenever and wherever they want – through cloud-based mobile applications – facilitates independent learning.

In our experience we've found that removing barriers to learning to be extremely effective – a move supported by Nobel prize winner Daniel Kahneman.

By running awareness campaigns designed using psychology we can transform the current perception of people as the main weakness in a firm's line of defence, to people as a resource capable of identifying and negating the most common cyber-attacks that companies suffer today.

With better cybersecurity awareness campaigns, people can become our ultimate defence.

 

Views expressed in our blogs are those of the authors and do not necessarily reflect those of the Law Society. Oz Alashe is the CEO of Cybsafe, one of the Law Society's endorsed cybersecurity partners.

Explore our cybersecurity resources to stay protected from cyber threats

Sign up for our weekly cybersecurity email, keeping you up to date on the latest scams and malware

The Law Society endorsed partners: cybersecurity and GDPR services

Tags: training | cyber security

About the author

Oz Alashe MBE is CEO and founder of CybSafe. A former British Army and Special Forces Lieutenant Colonel, Oz has a successful track record of developing and leading the specialist application of intelligence, cyber and risk management capability to tackle sensitive challenges in business and government.

Follow Oz on Twitter 

  • Share this page:
Authors

Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | Andrew Kidd | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Waldron | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bob Nightingale | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Dr Sylvie Delacroix | Duncan Wood | Eduardo Reyes | Elizabeth Rimmer | Emily Miller | Emily Powell | Emma Maule | Gary Richards | Gary Rycroft | Graham Murphy | Gustavo Bussmann | Hayley Stewart | Ignasi Guardans | James Castro Edwards | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Julian Hall | Julie Ashdown | Julie Nicholds | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Poulter | Larry Cattle | Laura Devine | Leah Glover and Julie Ashdown | LHS Solicitors | Lucy Parker | Maria Shahid | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Matthew Still | Melissa Hardee | Neil Ford | Nick Denys | Nick Podd | Nikki Alderson | Oz Alashe | Paul Rogerson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Rachel Brushfield | Ranjit Uppal | Richard Coulthard | Richard Heinrich | Richard Messingham | Richard Miller | Richard Roberts | Rita Oscar | Rob Cope | Robert Bourns | Robin Charrot | Rosy Rourke | Saida Bello | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Sophia Adams Bhatti | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Ellen | Tony Roe Solicitors | Vanessa Friend | William Li