In 1923, a devastating earthquake reduced much of Tokyo to rubble. In its aftermath, just one building stood virtually unscathed: the Imperial Hotel designed and built by Frank Lloyd Wright. It’s secret to survival? The novel and masterful use of reinforced concrete—a building material in which the tensile strength of steel and the compressive strength of concrete worked together to resist and withstand even the 7.9-magnitude quake that leveled its neighbors. Those buildings that did not immediately collapse were so otherwise compromised that they were soon engulfed in flames. As powerful testimony, the famous telegram sent by Baron Kihachiro Okura to Wright read, “Hotel stands undamaged as a monument of your genius. Hundreds of homeless provided by perfectly maintained service. Congratulations. Congratulations.”
The bottom line: reinforcement matters! Not only in the architecture of great buildings, but in the architecture of a robust security awareness program, as well. Unlike a building, however, security awareness is never completed. Because it is a process, it is an ongoing exercise that requires continuous development and maintenance in order to bring about its benefits in helping the organization withstand the myriad information security stresses it faces every day—stresses that can cause unreinforced enterprises to sustain great damage.
Formally speaking, the reinforcement phase of a security awareness program picks up where the foundational training event leaves off. Only when training is reinforced through a proper and continuous campaign will the new knowledge be retained and ultimately be embraced to bring about security aware behavior. In short,
behavior change = training + reinforcement
Even when training is well done, the fact is that people tend to halve their memory of newly learned knowledge in a matter of days or weeks. Therefore, it is imperative that the knowledge be re-presented (reinforced) in a mix of media that includes posters, articles, newsletters, animations, videos, events, screensavers, cheat sheets pinned to cubicle walls, and a great many other, often creative, vehicles.
Poorly designed security awareness programs have many potential points of failure. One of the major failure modes is a lack of proper reinforcement. Good reinforcement is vitally important because most learners will be extrinsically motivated. That is, they will be motivated by factors external to the particular tasks they are to perform. These motivators might include the desired benefits of compliance, bringing about a particular end, or even fear of being fired. Conversely, learners who are intrinsically motivated take pleasure in the security awareness-related tasks for their own sakes. These people will definitely be in the minority! The goal of good reinforcement is, over time, not only to remind employees of their training, but also to help extrinsically motivated employees to internalize the value of the behavior, thereby effecting lasting change.
A good reinforcement program actually begins upstream, before the training occurs; it is at work during the course, and it continues post-course. It is at work across all four adult learning principles and is refreshed throughout the year, not only to help make the learning stick, but to keep the awareness content up to date and relevant as security threats evolve. And while other companies may suffer devastating breaches, you’ll rest secure in the confidence of having designed, built—and reinforced—a truly security-aware enterprise.
For more on creating a successful reinforcement program, see, Security Awareness Reinforcement Solutions—Tools & Strategies to Drive Training to Habit or contact MediaPro for a free consultation.