Use longitudinal learning to reduce risky user behavior

People ignore information that isn’t relevant to them, which is why IT and HR departments have been approaching security training incorrectly for years. Long-form, all-hands security seminar trainings have contributed to nearly daily data breaches for decades.

HR and security leaders can create a cyber-secure culture by prioritizing the most crucial defense against cyberthreats — humans. Businesses must focus on positively changing user behavior to improve their security posture.

In order to do this, enterprises need to use contextualized, longitudinal learning to consistently educate users over time.

Whose fault is it, anyway?

Historically, security has always been viewed by enterprises as a technology problem or IT problem, when it’s actually a shared responsibility across the entire organization.

We know that the number one concern when it comes to fortifying organizations is human error. This has caused a shift in old perceptions and business leaders now understand security is not the responsibility of one, siloed team. Organizations are now holding workers more accountable by ensuring effective and measurable security education.

But it is unrealistic to hold employees to this level of accountability without equipping them with relevant knowledge and resources necessary of understanding the responsibility for these risks. Employees will have an easier time accepting shared responsibility when the feedback they are receiving is about their actions and applies directly to them.

Longitudinal learning protects against cognitive bias

Longitudinal learning is a teaching method that is gaining traction within academia, particularly for corporate training. This continuing education approach involves administering shorter assessments of specific content (such as whether to click on a URL embedded within an email sent by an unknown user) repeatedly over time.

Through a consistent assessment process, security concepts and information are reinforced so that knowledge is retained and accumulated gradually. Studies on longitudinal learning in healthcare showed that testing medical students in combination with explaining the information is the most effective way to drive the long-term retention of information.

Consistent, repetitive lessons are critical to help employees overcome the cognitive biases that cybercriminals count on to execute their attacks. The human mind is stingy; that is to say, that the brain processes so much information daily that it is constantly trying to take shortcuts to save energy and enable multi-tasking.

Cybercriminals know this which is why impersonation attacks, phishing, and rnalicious URLs are so effective. Did you catch the typo in the last sentence? If not, look at the word “malicious” again. Combining a lower-case “r” and a lower-case “n” looks a lot like an “m” if read too quickly. This simple trick happens hundreds of times a day on corporate networks and is the reason security leaders lose sleep at night.

Humans respond best to contextualized learning, which has been implemented for years in the education industry for learning retention, particularly for students with short attention spans. Longitudinal learning foregoes extended learning sessions for microlessons that are delivered more regularly. Think of it as listening to 10 episodes of a 5-minute podcast rather than an hour-long program.

Given the number of projects, apps, and other tasks knowledge workers are routinely tasked with, longitudinal learning offers a way to transform security awareness training into personalized coaching that fits easily into employees’ busy schedules.

Personalization and relevance

Security awareness training needs to be like the GPS: keeping users on the right path and preventing them from steering off course. It needs to adapt to their actions in real-time, provide corrections, evolve over time based on the user.

When an individual receives direct feedback based on a specific action, they tend to have an “A-ha!” moment, which helps them absorb the information for future use. As this situation plays out consistently over time, with slight behavioral variations, the knowledge leads to a positive pattern of behavior.

Longitudinal learning is an essential piece of a layered cybersecurity strategy. It’s important to keep in mind that the tone must be optimistic and educational, and not belittling, so that it doesn’t have the opposite effect. A personalized, longitudinal approach respects the time of your employees, and allows them to absorb information in a more effective, scalable way. The result is a strong, measurable cybersecurity culture with buy-in from across the entire organization.