"How do we get our employees to care about security awareness training?”
This is the most common question we get from IT admins. If you were opening this post because you wanted an answer to that question... so sorry, but you’re going to be disappointed.
Why should people care about security awareness anyways? Just like most things in life, if you tell someone that they HAVE to do something, they most likely will not want to do it and will develop some type of resentment towards it instead. Think about when we were kids and our parents would ask us to clean our rooms; they'd tell us that we should want to have a clean room, and that it was good for us. We didn’t believe a single word they said. We saw cleaning our rooms as a nuisance. It was something that our “upper management” (i.e. our parents) were forcing us to do.
To give another example that I brought up in a recent interview: Growing up in the US, I was forced to run a mile each week in school. I had to run a mile under a certain time to pass the class. The coaches tried to get me to “care” about running so that I would work hard to improve my time, but after years of running the mile, I absolutely HATED running. I wanted to never have to run again. Until it was made simple by joining a running club that met regularly and made it simple but fun. It wasn’t this big task of running a mile under a certain time, but instead it was just about making running a part of my daily routine.
So, why is it that we take the same approach to security awareness by trying to force employees to like something that they don’t? With that approach, it’s no wonder that engagement is such a big issue in the industry.
Create a Positive Environment Around Security
Achieving security awareness through force is never going to work. All we are left with is endless data breaches and hacks, aggravated employees, and a fair amount of frustration felt by administrators. If we try to see things from a different perspective, approach people from a different angle, and stop forcing people to watch videos of dancing llamas, then maybe we could start to get people to care about security awareness.
So how do we do that? In my opinion, there are four important areas that matter:
1. You don't pretend your employees are toddlers, and don't force them to watch a cartoon video and take a quiz. Instead, you allow them the opportunity to read a quick email on their phone, click a button that they have read it, and then let them move on with their day. It’s not a big task, so it’s not a nuisance anymore. Plus, your employees will feel like you’re treating them as the educated adults that they are rather than 5-year-olds.
2. You make it so easy they can do it on the toilet. While it might be taboo to talk about, the fact remains we all have our phones with us in the bathroom. If you're in the loo and you are scrolling through emails and TikToks anyways, you could complete your security awareness training instead of doom scrolling. Wouldn't that be better than sitting in front of your computer and having to sit through a video you hate?
3. Connect your simulations to your training. Doing only one is not enough. Look at how we take our driving tests. We have a written portion, and an active driving portion. Would you ever get into a car with a person who only took the written part? I don’t think so.
4. Provide employees with immediate feedback on what they missed when they fall for a simulation. People don’t like falling for simulations, and they don’t want to get hacked in their personal lives either, so they do want to get better to avoid making the same mistake again in the future. This creates a perfect learning opportunity by relating security awareness training to not only work life but home life as well. Don’t let it go to waste.
Following these four points is a great step towards taking a topic that is normally hated and turning it into a positive experience. Once employees see that training can be simple and effective without feeling forced or belittled, they start to care about it more than they otherwise would.
The Practical Effect
Before working at Pistachio, I had spent over 10 years going through standard security awareness training. I still had no idea what a subdomain was, and I didn’t inspect URLs to check if I was being tricked. All I would do was turn the training video on, mute the screen, and go to a different page to do work until the training was over. I would then guess at the questions on the quiz.
Now that I’m at Pistachio, where we use our product internally, I read and think about the training I receive. I complete it on the bus (or in the bathroom). And, importantly, I think before clicking on links. Whether the email is from the CEO, the bank, or even my husband, I always pause and think before doing anything. And that is what we want out of security awareness. We want people to be engaged enough to think before they click on links or enter their credentials.
And I never want to watch an animated video on security awareness ever again.