Security Behavior Change

How to Choose the Right Security Awareness Training Solution

Masha Sedova

Published on 3 October 2018

Ready to start or refresh security awareness training at your company but want to take a different approach that doesn’t bore your users and leave you no less secure? In this guide, you’ll learn how to select a solution that’s right for your employees, security goals, and organization.

Criteria 1: Define the Impact of Training

At the end of the day, security awareness training needs to impact a specific outcome, such as a 75 percent increase in reporting rates, 80 percent decrease in user-generated incidents, or 100 percent completion rate for compliance.

Before you evaluate any solution, get clear on your goal(s). Then, search for a solution designed for that outcome. It may be necessary to ask the vendors you’re considering how other companies have influenced their outcomes with the solution. Don’t be afraid to ask for references or case studies if needed.

Criteria 2: Is the Content Engaging?

We’ve all sat through boring security awareness training at some point in our careers. Users despise it and it makes no positive impact on your organization’s security posture. When evaluating a new solution, seriously consider if your users are motivated to consume it. Engaging content can run the gamut from fun and gamified to being relevant and useful to an employee’s life.

The end-goal is to have employees to want to take the training instead of being forced to take it. The best way to find out what will work is to ask them what kind of training they’d appreciate, such as gamification, competition, or something that is straight-to-the-point and can act as a reference guide in the future. Plus, the more engaged users are in the selection process, the more enjoyable it will be for them when it comes time for training.

Criteria 3: Is it Optimized for Learning and Retention of Content?

Active learning experiences, such as discussions or practice-by-doing, have a 75 percent retention rate! This alone can accelerate your solution search, as you can quickly eliminate those that only offer self-watched videos and questionnaires.

The more an employee can be immersed in an experience and live the scars, the more real security will feel and the longer the information will stick. For example, if your solution lets you customize the training by putting the company name in news headlines, teaching about actual threats that could (or have) hit your company, and using real employee names in the training, the more it impactful it will be.

Criteria 4: Can the Training Be Customized for Various Groups & Use Cases?

Your sales team will understand and implement security differently than your IT or support team, which is why one-size-fits-all training programs typically don’t work. That’s why you should find a solution that can provide different training experiences for different teams or categories of users (e.g. technical vs. non-technical). Since each team touches different information and systems, has a different threshold for technical content, and varying amounts of time to devote to training, training should be respectful of this.

Criteria 5: Is the Training Respectful of Employees’ Intelligence?

Your users don’t want to learn information they already know, nor do they want to go through training that’s way over their head. Meet your employees where they are by ensuring that the training gives them the information they need to know for their job while minimizing what they don’t need to know. Have an understanding of what content an employee has already seen and mastered through knowledge-checks or, better yet, real-world practice such as their ability to detect phishing.

Presenting content that recognizes their previous accomplishment will make them feel respected. Truth is, most employees want to do better (they don’t want to be the source of a breach or incident!) they just need the right information in order to become better security advocates.

Criteria 6: Is the Training Actionable?

Everything you train and test your users on they should be able to implement quickly and easily. For example, don’t demand that employees have a unique password for every site without giving them a password management tool to store their passwords for easy access. That would be an unreasonable request. This is a key part of the behavior change model — only teach and expect employees to do things they can actually take action on.

Criteria 7: Does the Training Make YOU Look Good?

Your training is your brand, so be mindful of what you put your name on. If it’s boring, long, and insulting of your employees’ intelligence, it will make you look bad. But if it’s unique, engaging, and interactive, it will be much more likely that employees will start, finish, and actually enjoy training. By delivering good training, people will want to get involved, which, in turn, will get you and your team more credibility and exposure, thus enhancing your security team’s brand.

Criteria 8: Does it Address Real Security Threats?

There’s a big difference between theoretical and real-life training. Does the solution train on realistic threats that could actually hit your organization (e.g. phishing, malware) or is it focused on theoretical and unlikely threats simply meant to scare your users (e.g. nation-state and zero-day attacks)? The closer training addresses what users will actually experience and what they’re worried about, the more likely it will stick and be useful when an incident does occur.

Your Action Plan: Security Awareness Training Made Memorable and Impactful

With these eight criteria in hand, you can easily weed out the old and ineffective approaches to training and narrow in on a better one. The more a security awareness solution fits your organization’s unique needs, the more effective it will be at reducing breaches, building a strong security culture, and providing a positive experience for employees.

We believe we’ve built the most engaging, efficient, and impactful security awareness solution on the market: Hacker’s Mind. A completely new take on security awareness training, Hacker’s Mind immerses your users into a team-based experience they’ll never forget.