<- Back to all blog posts

Security Awareness Needs a New Experience, Not More New Content

October 31, 2022

If you are shopping for a security awareness vendor, you have Netflix-style variety at your fingertips. Below are some of your options:

  • Hollywood style - Habitu8 (acquired by Arctic Wolf) or KnowBe4 (acquired by Vista)
  • Anime - NINJIO
  • Cartoon villains - Curricula (acquired by Huntress)
  • Dry comedy - Ataata (acquired by Mimecast)
  • Escape room style - LivingSecurity

As you can see, there are lots of different ways to create content that delivers the same message about using strong passwords, updating your devices, detecting phishing, or the other common security awareness topics.

The problem is, users aren’t looking for new forms of content to teach them the same lessons. As an example, your employees know strong passwords are better than weak passwords. Teaching them using a new video format or approach won’t improve their password hygiene.

Security awareness needs a new approach, not new content covering the same topics. This approach needs to leverage data about how your employees learn to provide them with an experience, not content, that engages them on a regular basis.

The Security Awareness Experience

When you think beyond content innovation in security awareness, there are 2 primary dimensions in which you can build a security awareness that 1) users will enjoy and 2) is effective. These 2 dimensions are frequency and context.

Security Awareness Training Frequency

In order for users to retain what they are taught, they need training to be as frequent as possible. Here is some of the data about retention and training frequency:

  • Monthly training - 58%
  • 3 month training - 26%
  • 6 month training - 21%
  • 12 month training - 15%

That data 👆 shows that you have a nearly 50% loss of retention after only 1 month. The best training frequency, from a retention standpoint, is somewhere between 1 day and 1 week. To accomplish this, training needs to be fast, require no prep time, and engaging. This is similar to how many SAT training services operate.

Security Awareness Training Context

Context matters. It matters for training. It matters for security. The most effective experience for training, especially frequent, short training is within the context of work.

Context switching maximizes distraction and adds lots of time before employees can get back to being productive. Here’s what we mean by context switching:

  • Employee gets an email notification of a new training.
  • Employee clicks the link in email and is taken to a web app.
  • Employee logs in to a web app.
  • Employee views and hopefully completes training fast.
  • Employee navigates back to what they were working on.

The above is a waste of time and attention. It also burns goodwill from employees about security awareness training.

Alternatively, here’s what we mean by training in context:

  • Employee gets a training notification in Slack.
  • Employee navigates to notification.
  • Employee completes training in Slack (completion is logged).
  • Employee goes back to previous Slack channel

The above is fast, requires no new logins, and does not take the employee out of the flow of work.

—-

Security awareness needs to move beyond content and examine the overall experience of learners. By changing frequency and context, security thinking starts to embed itself into the flow of work.

Schedule a demo

Start delivering training via Slack today.

Get started with a free trial by scheduling a demo today. One of our training experts will walk you through a live Haekka demo.

Excellent! We received your demo request. You should be redirected to our scheduling system. If you ran into an issue, please contact us.
Hmm. Something went wrong while submitting your form.
Please refresh and try again.