You are here:
  1. Home
  2. News
  3. Blog
  4. 5 proven ways to increase the power of your cybersecurity training

5 proven ways to increase the power of your cybersecurity training

23 April 2018

With each new people-triggered cyber-attack, the human aspect of cybersecurity  receives more attention. The cybersecurity industry is beginning to demand an evolution in cybersecurity training. 

In 2017, researchers from the University of Adelaide published a paper highlighting an interesting finding about the factors affecting cybersecurity awareness within organisations.

The researchers found that, as the reported frequency of security training increased, staff security awareness actually decreased. According to reports, every time organisations held a new security awareness training session with the explicit aim of increasing security awareness, security awareness eroded.

Research increasingly shows that today's cybersecurity awareness campaigns need to change. Few, however, are saying what the changes should look like.

Here are five steps you can take in the right direction.

1. Reward positive behaviours

In the 1930s, the power of rewards was first championed by the psychologist BF Skinner, who studied positive reinforcement in animals. Skinner famously found that rats could be trained to push a lever in response to a stimulus if they were rewarded with food.

Although it might seem simplistic, the same is true of people. Rewarding studying increases academic attainment; rewarding physical activity increases exercise; research even suggests that increasing child support payments (arguably 'rewarding' parenthood) increases birth rates.

Rewards are accepted as motivators elsewhere in the workplace, yet almost entirely overlooked in cybersecurity awareness campaigns.

Should positive security behaviours be discussed as part of performance reviews?

2. Use ongoing testing

The fact that tests are a proven learning aid makes them a feature of most cybersecurity awareness campaigns. But most tests take place immediately after training sessions. Few campaigns continue testing people over time.

In 2008, research examined the effects of testing on two cohorts of students. The first cohort were tested on a subject one week after learning about the subject. The second were tested 16 weeks after learning. Nine months later, the cohort tested after 16 weeks retained more of the learned information than those tested one week after learning, suggesting the effects of testing can be enhanced when tests are delayed.

In our experience we've found tests that take place after training – such as after simulated phishing attacks – can increase security performance, especially when promoted as part of a secure culture.

Today, companies are running repeated security training. We'd probably be much better off running repeated tests.

3. Use stories

Training that makes use of stories instead of simply listing facts almost always increases long-term recall. According to Stanford University research, stories are up to 22 times more memorable than facts alone. In his book The Storytelling Animal, Jonathan Gottschall argues humans evolved to tell and learn from stories.

So let's suppose we want to make users think twice before downloading potentially malicious attachments. We could simply remind them to stop and think before downloading attachments. At CybSafe, though, we favour retelling stories such as that of Dridex (malware spread through attachments that steals the banking information of customers of European banks) to be much more effective at achieving our aims.

4. Use fear wisely

Using fear in awareness campaigns is a contentious issue.

Research suggests that fear can backfire should threats never materialise. It's also true that fear can cause users to act more cautiously when assessing potential threats (so long as they are offered simultaneous advice on how to mitigate threats). The sobering truth is that for just under half of the businesses that took part in the UK government's 2017 cyber-breaches survey, threats have already materialised.

It seems that the effects of real-life examples – discussed as stories – could be bolstered when the stories elicit a healthy amount of fear.

5. Encourage independent learning

According to Malcolm Knowles' theory of adult learning, adults learn best independently. Yet, few of today's security awareness campaigns even facilitate independent learning, let alone encourage it.

Allowing users to access training material whenever and wherever they want – through cloud-based mobile applications – facilitates independent learning.

In our experience we've found that removing barriers to learning to be extremely effective – a move supported by Nobel prize winner Daniel Kahneman.

By running awareness campaigns designed using psychology we can transform the current perception of people as the main weakness in a firm's line of defence, to people as a resource capable of identifying and negating the most common cyber-attacks that companies suffer today.

With better cybersecurity awareness campaigns, people can become our ultimate defence.


Views expressed in our blogs are those of the authors and do not necessarily reflect those of the Law Society. Oz Alashe is the CEO of Cybsafe which, at the time of publishing, was one of the Law Society’s endorsed partners.

Explore our cybersecurity resources to stay protected from cyber threats

Sign up for our weekly cybersecurity email, keeping you up to date on the latest scams and malware

The Law Society endorsed partners: cybersecurity and GDPR services

Tags: training | cyber security

About the author

Oz Alashe MBE is CEO and founder of CybSafe. A former British Army and Special Forces Lieutenant Colonel, Oz has a successful track record of developing and leading the specialist application of intelligence, cyber and risk management capability to tackle sensitive challenges in business and government.

Follow Oz on Twitter 

  • Share this page:

Abigail Bright | Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alan East | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Adeola | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | an anonymous sole practitioner | Andrew Kidd | Andrew McWhir | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Morris | Anne Waldron | anonymous female solicitor | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bhavisha Mistry | Bob Nightingale | Bridget Garrood | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Carolyn Pepper | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | Coral Hill | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Duncan Wood | Elijah Granet | Elizabeth Rimmer | Eloise Skinner | Emily Miller | Emily Powell | Emma Maule | Floyd Porter | Gary Richards | Gary Rycroft | Graham Murphy | Greg Treverton-Jones | Gustavo Bussmann | Hayley Stewart | Hilda-Georgina Kwafo-Akoto | Ignasi Guardans | James Castro Edwards | Jane Cassell | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Jonathon Bray | Julian Hall | Julie Ashdown | Julie Nicholds | June Venters | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Hood | Kevin Poulter | Larry Cattle | Laura Bee | Laura Devine | Laura Uberoi | Law Gazette Jobs | Leah Glover and Julie Ashdown | Leanne Yendell | Lee Moore | LHS Solicitors | Linden Thomas | Lucy Parker | Maria Shahid | Marjorie Creek | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Mary Doyle | Matt O'Brien | Matt Oliver | Matthew Still | Max Rossiter | Melinda Giles | Melissa Hardee | Michael Henson-Webb | Neil Ford | Nick Denys | Nick O'Neill | Nick Podd | Nigel West | Nikki Alderson | Oz Alashe | Paris Theodorou | Patrick Wolfe | Paul Bennett | Paul Rogerson | Paul Wilson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Prof Sylvie Delacroix | Rachel Brushfield | Rafie Faruq | Ranjit Uppal | Ravi Naik | Rebecca Atkinson | Remy Mohamed | Richard Collier | Richard Coulthard | Richard Heinrich | Richard Mabey | Richard Messingham | Richard Miller | Richard Roberts | Rita Gupta | Rob Cope | Robert Bourns | Robert Forman | Robin Charrot | Rosa Coleman | Rosy Rourke | Sachin Nair | Saida Bello | Sally Azarmi | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Shirin Marker | Siddique Patel | Simon Day | Sofia Olhede | Sonia Aman | Sophia Adams Bhatti | Sophie O'Neill-Hanson | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Sue James | Susa | Susan Acland-Hood | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Chapman | Tom Ellen | Tony Roe | Tracey Calvert | Umar Kankiya | Vanessa Friend | Vicki Butler | Vidisha Joshi | William Li | William McSweeney | Zoë Paton-Crockett