SBN

Security Awareness Needs a New Experience, Not More New Content

Security Awareness Needs a New Experience, Not More New Content

If you are shopping for a security awareness vendor, you have Netflix-style variety at your fingertips. The problem is, users aren’t looking for new forms of content to teach them the same lessons. Security awareness needs a new approach, not new content covering the same topics. If you are shopping for a security awareness vendor, you have Netflix-style variety at your fingertips. Below are some of your options:Hollywood style – Habitu8 (acquired by Arctic Wolf) or KnowBe4 (acquired by Vista)Anime – NINJIOCartoon villains – Curricula (acquired by Huntress)Dry comedy – Ataata (acquired by Mimecast)Escape room style – LivingSecurityAs you can see, there are lots of different ways to create content that delivers the same message about using strong passwords, updating your devices, detecting phishing, or the other common security awareness topics.The problem is, users aren’t looking for new forms of content to teach them the same lessons. As an example, your employees know strong passwords are better than weak passwords. Teaching them using a new video format or approach won’t improve their password hygiene.Security awareness needs a new approach, not new content covering the same topics. This approach needs to leverage data about how your employees learn to provide them with an experience, not content, that engages them on a regular basis.The Security Awareness ExperienceWhen you think beyond content innovation in security awareness, there are 2 primary dimensions in which you can build a security awareness that 1) users will enjoy and 2) is effective. These 2 dimensions are frequency and context.Security Awareness Training FrequencyIn order for users to retain what they are taught, they need training to be as frequent as possible. Here is some of the data about retention and training frequency:Monthly training – 58%3 month training – 26%6 month training – 21%12 month training – 15%That data 👆 shows that you have a nearly 50% loss of retention after only 1 month. The best training frequency, from a retention standpoint, is somewhere between 1 day and 1 week. To accomplish this, training needs to be fast, require no prep time, and engaging. This is similar to how many SAT training services operate.Security Awareness Training ContextContext matters. It matters for training. It matters for security. The most effective experience for training, especially frequent, short training is within the context of work.Context switching maximizes distraction and adds lots of time before employees can get back to being productive. Here’s what we mean by context switching:Employee gets an email notification of a new training.Employee clicks the link in email and is taken to a web app.Employee logs in to a web app.Employee views and hopefully completes training fast.Employee navigates back to what they were working on.The above is a waste of time and attention. It also burns goodwill from employees about security awareness training.Alternatively, here’s what we mean by training in context:Employee gets a training notification in Slack.Employee navigates to notification.Employee completes training in Slack (completion is logged).Employee goes back to previous Slack channelThe above is fast, requires no new logins, and does not take the employee out of the flow of work.—-Security awareness needs to move beyond content and examine the overall experience of learners. By changing frequency and context, security thinking starts to embed itself into the flow of work.‍

The post Security Awareness Needs a New Experience, Not More New Content appeared first on Security Boulevard.

Leer másSecurity Boulevard

If you are shopping for a security awareness vendor, you have Netflix-style variety at your fingertips. The problem is, users aren’t looking for new forms of content to teach them the same lessons. Security awareness needs a new approach, not new content covering the same topics. If you are shopping for a security awareness vendor, you have Netflix-style variety at your fingertips. Below are some of your options:Hollywood style – Habitu8 (acquired by Arctic Wolf) or KnowBe4 (acquired by Vista)Anime – NINJIOCartoon villains – Curricula (acquired by Huntress)Dry comedy – Ataata (acquired by Mimecast)Escape room style – LivingSecurityAs you can see, there are lots of different ways to create content that delivers the same message about using strong passwords, updating your devices, detecting phishing, or the other common security awareness topics.The problem is, users aren’t looking for new forms of content to teach them the same lessons. As an example, your employees know strong passwords are better than weak passwords. Teaching them using a new video format or approach won’t improve their password hygiene.Security awareness needs a new approach, not new content covering the same topics. This approach needs to leverage data about how your employees learn to provide them with an experience, not content, that engages them on a regular basis.The Security Awareness ExperienceWhen you think beyond content innovation in security awareness, there are 2 primary dimensions in which you can build a security awareness that 1) users will enjoy and 2) is effective. These 2 dimensions are frequency and context.Security Awareness Training FrequencyIn order for users to retain what they are taught, they need training to be as frequent as possible. Here is some of the data about retention and training frequency:Monthly training – 58%3 month training – 26%6 month training – 21%12 month training – 15%That data 👆 shows that you have a nearly 50% loss of retention after only 1 month. The best training frequency, from a retention standpoint, is somewhere between 1 day and 1 week. To accomplish this, training needs to be fast, require no prep time, and engaging. This is similar to how many SAT training services operate.Security Awareness Training ContextContext matters. It matters for training. It matters for security. The most effective experience for training, especially frequent, short training is within the context of work.Context switching maximizes distraction and adds lots of time before employees can get back to being productive. Here’s what we mean by context switching:Employee gets an email notification of a new training.Employee clicks the link in email and is taken to a web app.Employee logs in to a web app.Employee views and hopefully completes training fast.Employee navigates back to what they were working on.The above is a waste of time and attention. It also burns goodwill from employees about security awareness training.Alternatively, here’s what we mean by training in context:Employee gets a training notification in Slack.Employee navigates to notification.Employee completes training in Slack (completion is logged).Employee goes back to previous Slack channelThe above is fast, requires no new logins, and does not take the employee out of the flow of work.—-Security awareness needs to move beyond content and examine the overall experience of learners. By changing frequency and context, security thinking starts to embed itself into the flow of work.‍
The post Security Awareness Needs a New Experience, Not More New Content appeared first on Security Boulevard.

La entrada Security Awareness Needs a New Experience, Not More New Content se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

*** This is a Security Bloggers Network syndicated blog from CISO2CISO.COM & CYBER SECURITY GROUP authored by Haekka Blog. Read the original post at: https://ciso2ciso.com/security-awareness-needs-a-new-experience-not-more-new-content/