Cyber attacks are on the rise during this year of uncertainty and chaos. Increased working from home, online shopping, and use of social platforms to stay connected and sane during this year have provided criminals with many attack avenues to exploit.
To mitigate the threat to their networks, systems and assets, many organizations perform some type of annual cybersecurity awareness education, as well as phishing simulations. Unfortunately, attackers are quick to adapt to changes while employees’ behavior changes slowly. Without a dramatic shift in how we educate employees about cybersecurity, all industries are going to see a rise in breaches and costs.
Changing the way people learn about cybersecurity
The average employee still doesn’t think about cybersecurity on a regular basis, because they haven’t been taught to “trust but verify,” but to “trust and be efficient.” But times are changing, and employees must be reminded on a daily basis and be aware that they (and the organization) are constantly under attack.
In the 1950s, there was a real push to increase industrial workplace safety. Worker safety and the number of days on a job site without an incident were made top of mind for all employees. How did they manage to force this shift? Through consistent messaging, with diverse ways of communicating, and by using daily reminders to ingrain the idea of security within the organization and change how it functioned.
Hermann Ebbinghaus, a German psychologist whose pioneering research on memory led to the discovery of forgetting and learning curves, explained that without regular reminders that keep learning in mind, we just forget even what’s important. One of the main goals of training must be to increase retention and overcome people’s natural tendency to forget information they don’t see as critical.
Paul Frankland, a neuroscientist and a senior fellow in CIFAR‘s Child & Brain Development program, and Blake Richards, a neurobiologist and an associate fellow in CIFAR’s Learning in Machines & Brains program, proposed that the real goal of memory is to optimize decision-making. “It’s important that the brain forgets irrelevant details and instead focuses on the stuff that’s going to help make decisions in the real world,” they said.
Right now, cybersecurity education is lost and forgotten in most employees’ brains. It has not become important enough to help them make better decisions in real-world situations.
A different kind of training is needed to become truly “cyber secure” – a training that keeps the idea of cybersecurity top of mind and part of the critical information retained in the brain.
Microlearning and gamification
Most organizations are used to relatively “static” training. For example: fire safety is fairly simple – everyone knows where the closest exit is and how to escape the building. Worker safety training is also very stagnant: wear a yellow safety vest and a hard hat, make sure to have steel toed shoes on a job site, etc.
The core messages for most trainings don’t evolve and change. That’s not the case with cybersecurity education and training: attacks are ever-changing, they differ based on the targeted demographic, current affairs, and the environment we are living in.
Cybersecurity education must be closely tied to the value and mission of an organization. It must also be adaptable and evolve with the changing times. Microlearning and gamification are new ways to help encourage and promote consistent cybersecurity learning. This is especially important because of the changing demographics: there are currently more millennials in the workforce than baby boomers, but the training methods have not altered dramatically in the last 30 years. Today’s employee is younger, more tech-savvy and socially connected. Modern training needs to acknowledge and utilize that.
Microlearning is the concept of learning or reviewing small chunks of information more frequently and repeating information in different formats. These variations, repetitions, and continued reminders help the user grasp and retain ideas for the long-term, instead of just memorizing them for a test and then forgetting them.
According to Eddinghaus, four weeks after a one-time training only 20 percent of the information originally learned is retained by the learner. Microlearning can change those numbers and increase retention to 80 or 90 percent.
Gamification amplifies specific game-playing elements within the training to include competition, points accumulation, leaderboards, badges, and battles. Gamification blends with microlearning by turning bite-sized chunks of learning into neurochemical triggers, releasing dopamine, endorphins, oxytocin, and serotonin. These chemicals help reduce stress and anxiety (sometimes associated with learning new material), increase „feel good sensations“ and feelings of connection.
Gamification increases the motivation to learn as well as knowledge recall by stimulating an area of the brain called the hippocampus. From a business perspective, 83% of employees who “receive gamified training feel motivated, while 61% of those who “receive non-gamified training feel bored and unproductive.”
Other reports indicate that companies who use gamification in their training have 60% higher engagement and find it enhances motivation by 50%. Combining microlearning with gamification helps create better training outcomes with more engaged, involved employees who remember and use the skills learned within the training.
The bad guys don’t stop learning and trying new things, meaning the good guys must, too.
Cybersecurity is increasingly central to the existence of an organization, but it’s fairly new, rapidly evolving, and often a source of fear and uncertainty in people. No one wants to admit their ignorance and yet, even cyber experts have a hard time keeping up with the constant changes in the industry. A highly supported microlearning program can help keep employees current and empower them with key decision-making knowledge.