The role of employees in information security cannot be overstated – after all, technology alone cannot protect your systems without their involvement. In fact, your workforce is your greatest single asset in the battle against increasingly sophisticated and persistent threats. And what’s equally true is that one size definitely doesn’t fit all when it comes to the style of training and communication needed to embed a successful security culture.
The name of the game is to employ a multi-channel approach to reach as many target audiences as possible. This is quite different from using traditional e-learning, which undoubtedly is a convenient low-cost training, but in isolation it is only likely to deliver a basic level of engagement.
However, combine e-learning with a range of other methods and you will more likely get greater engagement and internalisation. It’s all about recognising that everyone has different learning styles and company cultures vary significantly from one to the other.
Combining learning with communication has proven for many to be an effective method. Recognise the diversity of learning styles. Visual learners need to see content to absorb it, auditory learners listen, communicative learners like to talk about the topic, and motor learners learn by doing.
To ensure all these groups are fully engaged, your information security awareness programme needs to be as diverse and offer employees multiple ways to learn. For example, at DXC Technology the training methods are grouped under five broad headings: communication, onsite training, web-based training, ‘edutainment’ and security giveaways.
Communication covers traditional awareness-raising activities such as posters, brochures, newsletters and videos. Onsite training includes classic learning techniques such as seminars, conferences and lectures. Web-based training comprises e-learning, interactive CD training and other computer-based methods.
‘Edutainment’: Education meets entertainment
‘Edutainment’ is a fresh concept, combining education and entertainment in activities such as quizzes, games and brainteasers, with built-in security messages. It can also include interactive events and game-style learning activities. A security circle training and ‘lunch & learn’ events mix informal learning with security-themed entertainment such as live-hacking demonstrations. Finally, attractive security giveaways such as calendars, trump games or even Lego robots are used to visually reinforce security tips and hints within offices and workplaces.
For maximum effectiveness, information security awareness programmes should be branded with a logo and slogan. Apart from raising general awareness, a strong identity and storytelling helps employees to associate with the programme and to quickly identify security awareness initiatives.
It’s also helpful to make campaigns as real and as engaging as possible. Case studies and examples will help to contextualise learning and make it more relevant to everyday routines. Using real employees in security messaging will generate more interest and hold the trainees’ attention longer.
No doubt there is a range of techniques that can be used for training and learning, some old, some new, but all of them can help strengthen your security culture when used in the right way. Training methods should be diverse, inclusive and tailored to the individual needs of the organisation as much as possible. Getting it right may take some time, but the cost and effort involved is minor compared to the huge advantages that a risk-aware workforce will bring to your overall security protection.