Less is More: How to Optimize Your Security Awareness Training

It’s Thursday and Sue, a 15 year company veteran, sits down to take yet another mandatory training program before the Friday deadline. She’s calculated that over the course of her career she has completed hundreds of hours of training. Even though she wants to do the right thing and make the company more secure, her one hour security awareness module is coming on the heels of 5 other regulator-mandated training courses and videos this quarter. Logging into her training portal she sighs when the screen shows “module 1 of 10.” Midway through the training her attention fades in the deluge of facts and messages. Far from uncommon, Sue’s experience is unfortunately routine for many employees and staff who want to learn and be more secure. It’s not the subject matter that falters - it’s the legacy training mindset that fails the employee and the company as well.

But there’s another way.

By recognizing what mental models and legacy practices inhibit message delivery and behavior change, security awareness officers can quickly turn things around and get more from every training minute and every training dollar. Keep an eye out for two common traps to optimize your security awareness training program.

Beware training fatigue

Checking the compliance box shouldn’t come at the expense of more secure behaviors but employees are inundated with so many training demands they quickly tune out messages and forget the desired action.  Failing to focus training content, delivery and timing puts the onus on the learner to sift through what is important. As the saying goes, if everything is important then nothing is important.  Instead of throwing everything at the wall to see what sticks, it pays to be precise in identifying what modules are critical for what roles and when. This is the holy trinity of right amount, right time, right training. Once the onslaught of training has been tamed, then it’s time to tackle the related concept of cognitive overload.

Avoid cognitive overload

When you aim to teach people everything possible, people often remember that nothing is possible. When there is no signal through the noise then all people hear is noise. The paradox of choice is a manifestation of this in consumer behavior and decision making. Too many choices and people can’t choose. Less is more here. Cognitive overload happens when people are presented with too much information and they shut down, forgetting the key messages needed to change behavior. Focus on the “critical few” to change behavior.  Would you rather have learners remember 2 out of 3 important takeaways or 1 semi-important takeaway out of 25?

Seven solutions

Here are 7 tips you can use today to address cognitive overload and training fatigue:

1. Do a human risk analysis and identify human risks.  Then prioritize those risks and focus on just those.  SANS security awareness training takes care of this by providing organizations with core modules out of the box
2. Assign training by roles. Different roles have different unique risks so breakdown training as much as possible. This is often build on Core training topics with specific training added or removed
3. Deploy knowledge assessments that enable aware employees to test out of training or specific modules
4. Conduct knowledge assessments to understand areas of weakness
5. Provide training in short, modular format so it is easily consumable, focused on specific topics and engaging
6. Make training engaging by empowering people and focusing on how they personally benefit
7. Automate delivery as much as possible.

Learn how the Advanced Cybersecurity Learning Platform automates training to deliver the right content to the right people at the right time.