“Untrained employees drain revenue.”
That’s a key finding from a study of 500 executives conducted in 2014. “Companies that train their employees about cybersecurity best practices spend 76% less on security incidents than their non-training counterparts.” In 2014, that difference amounted to $521,000 in lost revenue on average.
And for 2015? The updated study found that breaches are not only increasing in number, they are also becoming more destructive. For example, more than three-quarters of respondents (79%) said they had detected an incident in the last 12 months, the highest percentage in the survey’s history.
Unfortunately, other research shows that security and awareness training initiatives are not keeping up with these threat trends. In a joint Ponemon Institute/Experian survey of 601 professionals in companies with security and privacy training, 55% said their organization had suffered a data breach or security incident due to malicious or negligent employees. Counter-intuitively, only 35% of those surveyed said they felt senior executives considered employee security and privacy knowledge a priority.
This disconnect, while not entirely surprising, is still unsettling. This same survey found that many respondents felt their organization’s training lacked the ability to effect real behavioral change. Forty-three percent said, for example, that their organization offered just one basic course meant to apply to all employees. Long story short: if you’re using the wrong training, you won’t get the results you want.
Admittedly, changing employee behavior is no easy task. Fortunately, there are some established ways to get a foothold. Below, you’ll find a list of awareness program best practices we’ve developed over 20-plus years of working with some of the most risk-conscious organizations in the world.
1) Get Users Motivated
You may expect to see an e-Learning best practices list open with advice on juxtaposing multiple types of media or arranging the look on the page. But as Ruth Clark and Richard Mayer write in E-Learning and the Science of Instruction, the most fundamental lesson from e-Learning research is that learning is learning no matter the media. And the first job for any kind of training is to get users motivated, to get them to engage.
The most potent motivation comes from factors inside the learner or inherent in the task they’re engaged in. So-called Intrinsically motivated learners are more likely to process information in effective ways and achieve at high levels.
So, the first step in motivation is getting the students’ attention.
The short path to motivation runs through identification. In order to hold your learners interest, you need to establish how the course content is relevant to them and how paying attention pays off for them. You can do that by addressing the student directly, or by presenting characters they identify with.
Once you’ve gotten their attention, you’ll want to build their interest. A good way to do that is to show them that their actions at work have consequences, not only for the company, but also for them. You can do that, for example, by putting the characters they identify within a situation that presents them with choices that have significant personal consequences.
2) Heighten Engagement by Creating “Social Presence”
Motivation comes not only from the content you present, but from the way you talk to students.
You’ll see a lot of training adopt a third-person voice (“To increase security, the ‘strict’ option is preferable…”), likely because use of third-person in academic circles lends a patina of objectivity and authority.
The very objectivity of the voice, though, can waste the motivation we’ve been building. That’s because learning, even e-Learning, operates at a deeper level when the learner experiences it as a social encounter.
Students often experience the third-person objective voice as a disembodied voice. So, it leaves your learners less engaged and less likely to identify with characters you present.
The better approach for training is to address the user directly. You’ll find that users parse second-person writing more easily, but that’s not the only reason to prefer it.
Writing in a conversational tone and addressing the reader in second-person (“You are our number one defense…”) triggers ingrained, unconscious, social conventions that cause learners to invest attention. Essentially, they react to the training as though it was a person talking to them and expecting a response. The result: learners engage at a deeper level.
You’ll augment that sense of social presence by combining a conversational tone with the stories and characters we talked about above. Returning to Clark and Mayer, making the “author” visible through story and images adds additional cues that encourage the learner to deepen their engagement with the content.
3) Provide Practice Throughout the Stages of Training
We all know that if we want users to recognize information, we need to show them examples. And the best way to learn a skill is to practice it, not just to read about it.
Learners learn what they do, so it’s important that their exploration and practice be as true to reality as possible. If we want them to recognize security features on a bank card, for example, we show them the features on the card. If we want them to tell the difference between sensitive documentation and non-sensitive information, we ask them to separate the two into different folders.
But there’s more to practice than that.
In the past, the e-Learning industry has thought of practice as an end-point, the last step in a cascade which starts with an introduction and ends with a test.
But research shows that practice doesn’t have to work that way. Practice accomplishes varying ends depending on when and how you present it in the course.
Sometimes practice makes sense as part of the initial learning. That can be true when the content is simple. Introducing small challenges can combat “cognitive miserliness”, the tendency for brains to conserve energy by attending less closely or falling back on heuristics to solve problems.
Practice can work well even when it’s staged as a pre-test; literally a quiz students take before they’ve seen the content of the course. You might think it’s unfair or counterproductive to pre-test. In fact, students get three benefits from getting practice before being exposed to the content.
First, as Clark and Mayer point out, students are notoriously poor (OK, terrible) at gauging their own ability. Graded practice before the lesson can alert them to holes in their learning so they pay attention when it makes sense.
Second, pre-tests give students who already know the information a chance to test out of sections so they can focus on those areas where they need help.
Finally, pre-testing gives students a preview of the content and vocabulary that will feature in the lesson, so they begin to build cognitive structures to fit the content into when they encounter it.
4) Heighten Realistic Practice with Relevant Gamification
Ambient Insight predicts the market for game- and simulation-based learning will rise to $5.5 billion in 2018 from an already impressive $1.7 billion today.
Yet, gamification is double-edged sword. Done well, it can make training much more inviting. Done poorly, it can literally waste your project budget by teaching the wrong skills.
The classic example is the rise and fall of the Oregon Trail, an educational game that featured pioneers moving their families out west. Instead of absorbing lessons about Westward Expansion, many students abandoned the instructional objectives, choosing to load up on virtual bullets and take down as many buffalo as they could.
Good game design that makes a difference in workplace performance compresses realistic job problems into a short time frame in a safe setting where learners can succeed and fail safely.
As our friends Clark and Mayer write, learning will get more reinforcement when it becomes essential to progressing through the simulation. You can facilitate this by weaving instructional objectives into the flow of the simulation.
Games and simulations are more effective when they include explanatory feedback rather than a simple correct or incorrect. Explanatory feedback works well as either a hint, or as feedback to learner responses.
5) Manage Complexity
A current fad in instructional design is to create “discovery” spaces that are rich in interactivities with little direction.
The intention is to create a rich environment. But in practice, complex environments are often inefficient and can contribute to overload.
According to Clark and Mayer, the more effective practice is to sequence content by starting with a simple task that has a low level of challenge and only partial functionality enabled. Then, progress to tasks that have more information and demand more skill or knowledge.
And complexity isn’t just a matter of the number of images on a page, but the detail in those images as well.
We often work with subject matter experts whose initial position is that photo-realistic images are more appropriate for “serious” content while hand-drawn or simplified images should be reserved for less important topics.
In fact, highly realistic images and sounds are busy and distracting, particularly for novice learners. Clark and Mayer say the best practice is to minimize realism that isn’t aligned with an instructional objective.
Of course, there’s abundant literature on the way to deliver multimedia content, the number of channels to use simultaneously, and how to manage it. And you’ll find plenty of articles on the web discussing those issues.
Before you get into those details, though, consider this.
Graphical and audio design are important. They underline and clarify. They direct attention. But only after you have the attention first, and only for learners who are interested and motivated. Shooting phishing email in an arcade is fun. But it alone doesn’t build your employees’ confidence or capability to make your information or your customers’ more secure.
In awareness training, poor design impacts your bottom line and your reputation in the market place. It doesn’t matter how pretty your screens look if your employees aren’t engaged and taking your training to heart. Substance and appearance must walk hand-in-hand to effect real behavioral change.
Safeguarding the Human
As headlines continue to show us, threats to cybersecurity and data privacy are not going away anytime soon. While technical safeguards are important, these alone cannot take the place of expertly-designed educational content designed to change employee behavior. Humans can be a weak spot in an organization’s security or data privacy infrastructure, but they can also be, nay should be, a strength.
As an instructional designer for MediaPro, Tim Dawes designs training to help anyone from the shop floor to the corner office meet their company’s business goals. Previously, he ran a company that trained staff to improve their results by swaying critical stakeholders. He’s also the author of an award-winning book showing healthcare workers how to improve satisfaction and standards of care by making their compassion visible to patients.
Want to see how our adult learning expertise can be put to work for you? Contact us any time.