Resilience by design: What security pros need to know about microlearning

It’s no secret that security training is failing us. Research has revealed that more 90% of people struggle to identify a phishing email — arguably one of the most basic tactics used by threat actors. Add more sophisticated attacks like social engineering, and the risks have never been higher. So what can security leaders do to improve this situation?



Microlearning delivers digestible bits of information specifically designed for the learner to retain in a short period of time. Common microlearning content includes videos, simulations, quizzes and more. Sounds simple enough, right?

Not quite. While the security industry is beginning to recognize the advantages of microlearning, many implementation inefficiencies persist. To successfully adopt the learning approach, organizations must first understand how employees retain information and then build a strategy around how this information will be leveraged when an incident occurs.

Ingesting the information

One of the core components of microlearning is keeping people completely engaged in ongoing content. Consider all the competing priorities that are impacting employees daily: childcare/schooling while working from home, juggling countless Zoom calls with meeting day-to-day deliverables, and more. On top of this, research shows that workdays are increasing by nearly 9% on a global scale. Throw security training into the mix, and procrastination and/or distraction is nearly guaranteed.

In order to help employees retain the information provided in security awareness training, organizations should look at microlearning as a holistic system. Topics should be narrowly focused, so learners walk away with one key takeaway from each piece of content. Furthermore, the content should not only be short – it must also be applicable so people know why they’re learning it and how to apply the knowledge.

To help demonstrate this, consider this analogy: microlearning is a theme park and traditional security training programs is a state fair. The state fair is a collection of rides. It’s disorganized. There’s no map and you’re left to swim through a big mess. It’s also pay-to-play — you need a stack of tickets for each individual ride, piece of food, etc.

On the other hand, when you walk into a theme park, you have access to all the rides. It’s a pleasant experience from the get-go. Everything has a theme — even down to the map of where you need to go or what you should do next. It’s cohesive and intentional. Just like microlearning should be.

Leveraging the information

Microlearning is optimized to the ways the brain best learns material that may have to be recalled much later, unexpectedly, and under stressful conditions. This makes microlearning ideal for threat awareness education.

When major attacks occur, employees cannot and will not dig through notes (that they probably didn’t even take) from a security training session six months or a year ago. They need to act quickly, tapping information that’s already been ingrained into their mind. Microlearning ensures that employees will recognize and can respond to the signs of an attempted attack, months or years later, even when they’re wrapped in their day-to-day work.

Not convinced that such short content can leave such a lasting impression? Consider the way the brain processes and recalls information.

Research has shown that people will forget more than 80% of what they’ve learned in less than a month. But, if reengaged on a regular basis, people will not only retain more information but will be able to retain that information for a longer period of time.

It’s the reengagement of the microlearning strategy that keeps information top of mind ensuring people remember what they’re taught and can recall the information they most need exactly when they need it. It’s teaching designed to fit the way the brain learns. Perhaps the solution to attack after attack isn’t on the show floor at RSA or Black Hat, but in our own heads after all.

Don't miss