Marie White, Founder, CEO & President, Security Mentor.
In 2008, Security Mentor provided security awareness training to our first customers, concurrently we introduced what remains the most effective security awareness training model available – Brief, Frequent, Focused™ training.
Back in those days, security awareness training was mostly done in hour-long sessions, provided once a year, covering a multitude of topics. Employees dreaded training -- pressured by work responsibilities, they were either too busy to take training, or just too bored with it, and so tuned the training out, if they took it at all. The end result was employee behavior didn't change and cybersecurity risks remained high. Employees were often blamed as the cause of the problem – they didn't care or couldn't be trained, and security awareness training was denigrated as useless.
How things have changed. Employees are now widely recognized as one of the most critical components of the organizational security. And security awareness training is recognized as critical to achieving cyber secure employees. How did we get to this awakening?
The first step was to recognize that poor security awareness training was the cause of most training failures then, and unfortunately, still is today. Security Mentor's solution was to disrupt the market, and provide training designed for how people learn and work. We introduced a new training model – Brief, Frequent, Focused™ training – training delivered in 10-minute sessions, provided monthly, each lesson on a single topic. Why does this model work so well? Let's take a look at each component:
- Brief. What do human and puppy learners have in common – short training sessions are ideal. Puppies have short attention spans, thus longer training sessions cause training fatigue resulting in loss of interest and displacement behaviors – the end result: puppy training failure. Sound familiar? How many times have you reached for a cup of coffee, or looked around searching for something to distract you when taking training? You are not alone. Numerous articles have been written about the advantages of brief training. One study found that 94% of e-learners preferred sessions that were less than 10 minutes. Not only does brief training provide a more effective training model but it increases learner satisfaction, which is a critical key performance indicator (KPI) in determining training success.
- Frequent. Frequent training has multiple benefits. First, it provides new information at regular intervals. Second, repetition of the same message ingrains the learning materials. Third, frequent training reinforces the importance of that information. In the book "How We Learn: The Surprising Truth About When, Where, and Why It Happens", Benedict Carey discusses how repeating information over a longer interval sends a stronger signal to the brain to retain information. Cybersecurity is a topic that is particularly well-suited to frequent training. By providing training throughout the year, employees are continually reminded of the importance of cybersecurity. At the same time, new cybersecurity topics are provided that keep the information fresh and interesting, while reinforcing key cybersecurity messages.
- Focused. Cybersecurity is a daunting subject for most employees to learn. It can be very technical and let's be honest, there's a large and ever-growing amount of information to comprehend, remember, and put into practice. No wonder employees are overwhelmed by cybersecurity training, and often avoid it. The solution is to provide training in small bites that focus on a single topic. This bite-size learning approach focuses on one key objective making it more easily consumed and better retained. Security Mentor's security awareness training approach is that each lesson focuses on a single cybersecurity topic.
In this blog, I've shared why Security Mentor's Brief, Frequent, Focused™ training model is our secret sauce. Each component – brief, frequent and focused – is critical on its own, but also an integral part of the entire model, without which the overall training effectivity would be greatly reduced.
That said, a training model is only half of how to make security awareness training effective and successful. In an upcoming blog, we'll talk about the importance of engaging and interactive training. Until then, whether developing your own training or using a vendor's services, be sure to utilize the Brief, Frequent, Focused™ training model to ensure training success.