Not too long ago, a client of ours who had just released a dynamic new Information security course told me how blown away he was with the response they were getting.
He recounted how employees stopped him in the hallway to thank him for not boring them to death! His inbox was full of compliments, and his colleagues wanted to duplicate his training in their own departments. In short, his awareness program created a buzz.
Is your training getting this kind of reception? If it is, keep it up! But if it’s bombing—if people roll their eyes at your training, and ignore your efforts to make security protections part of the conversation—it could be you’re approaching the problem from the wrong perspective. If you’re not getting the results you want from your security awareness and privacy awareness efforts, here are six things that might be killing off any hope of an enthusiastic reception to your training.
1. You checked the box
The biggest cause of a failed awareness program is your decision to just “check the box” and get it done. Regulations require that you train people, but they don’t say how, so checking the box is easy. But if all you care about is satisfying the legal requirement, then that’s all your people will care about, too. And in the end, all you really will have done is to create another administrative burden that provides no return on your investment.
2. It’s no fun
How are your completion rates stacking up? If people aren’t finishing the training, it could be that slogging through the material is just a drag. For training to be effective, it must be inviting, interesting, engaging—and ideally enjoyable. And if you want the course to be remembered 15 minutes after it’s been taken, it’s also got to find some hooks in the minds of the learners. You can do that with good courseware that integrates just the right amount of humor or even game mechanics. In other words, make it fun!
3. It’s not relevant
When training material doesn’t address employees’ real life, motivation plummets and frustration soars. Worse, if it is perceived as irrelevant, it will be ignored, quickly forgotten, and may even sow seeds of discontent. Adults want to know why they need to learn something. So deliver training that makes it clear how the new knowledge will serve them in their day-to-day work, and that the new knowledge will be both relevant and practical. If these all-important motivational attributes are lacking, you’ll lose more than the learners’ interest.
4. The training material is stale
Ever eat a stale slice of bread or drink a flat soda? That’s essentially what you’re serving your people if you’re not keeping your awareness training and reinforcement content fresh. If people take the same course year after year, they’ll begin to ignore it altogether. No doubt you’ve experienced becoming so used to something—like that ratty old chair in the living room—that you no longer pay any attention to it. The same can be true of your awareness program. So freshen it up, shake it up, make a little noise about it. Give buzz a chance.
5. The program lacks executive support and modeling
Is your organization’s management helping or hindering the cause of security and privacy awareness? Where corporate culture is concerned, actions speak louder than words. If the leadership circumvents security measures for its own purposes, or rewards others who do the same (like paying bonuses to employees who take “shortcuts” to meet or exceed short term goals), then the program is sure to be a bust. Most leaders understand that culture plays an important role in their organizations, but many, it seems, have difficulty understanding how it can be leveraged to bring about security/privacy-aware behaviors—or worse, how it might actually impede those behaviors. Your people are looking for consistent role models. Lead the way!
6. You used the wrong awareness training approach
It happens! It’s no secret that security awareness programs do not always work or deliver the expected results. As we have seen, there are many reasons an awareness training program might bomb. Perhaps the training was simply a boring PowerPoint, converted for online delivery, with no thought given to engaging employees in considering the impact that security had on their lives; perhaps it was a series of videos that amused people with animatronic malware bots, but failed to convey the behaviors they needed to practice at work. The success of your security awareness initiative depends upon delivering a training and reinforcement solution that has been designed specifically to support adult learning, enable essential best practices, and reduce risk. Frankly, not all awareness training solutions are up to these tasks.
When you’re looking around for a new security or privacy awareness program, ask yourself whether your candidate solution will boom or bust, buzz or bomb.