Security Engagement Over Security Awareness

Travis Good
June 1, 2022

In our last post, we discussed how frequently you should train users on security awareness. Data shows that training should be done monthly, at a minimum, if the goal is to have training be effective (and not just check the box).

At Haekka, we believe you need to flip the question and stop considering “how often do you train your employees on security awareness” and instead focus on “how frequently do you engage with employees on security awareness”. Engagement is a better bar if the goal is retention, behavior change, and incorporating a security mindset into day-to-day work.

How often should you engage with employees on security awareness?

If you believe security awareness training is important because your employees need help to combat the constant stream of attacks waged against them (phishing vishing, malware, account takeover, ransomware, etc.), then you need to go beyond checking the box. As the data in our last post shows, more frequent training improves effectiveness. At a minimum, monthly training is a good startling point even though it has its weaknesses as noted in our last post, namely that specific topics are covered infrequently.

At Haekka, we leverage our Slack integration to drive more frequent training. When we talk about training in the flow of work, we mean that we can deliver training in snippets, in the apps users are already in, on a regular basis without blocking work.

We still offer lesson-based security awareness courses. These courses are typically done at onboarding and sometimes recur annually. But, many Haekka users do this training once and then engage with our frequent training snippets.

By default, we deliver relevant, up-to-date training each week. These are short, 30-90 seconds, but the repetitive nature results in more retention of the topics and, more importantly, a more prevalent security mindset. When you consider getting 50+ different security awareness topics in a year, there is some redundancy in the topics and categories covered. This is by design. Our weekly training tells the same story in different ways, ensuring more of the content is retained.

In addition, we also provide all Haekka customers with the ability to quickly create ad-hoc or recurring messages, announcements, quizzes, or surveys. These are not full courses and are not meant to replace full courses. We call these Engagements. They can be created in under 5 minutes and delivered to individuals, groups, channels, or all users in Slack.

The last thing we do at Haekka to drive training effectiveness is delivering training based on employee actions. The actions we use are things that employees do in SaaS apps like Slack, Google Workspace, or Zoom. The event-driven nature of this type of training is not on a specific cadence but is real-time and hyper-contextual to the work a person is doing. Context, like training frequency, matters.

---

Here's a simple way to frame training vs engagement.

  • Context and frequency drives connection.
  • Connection drives engagement.
  • Engagement drives effectiveness.

At Haekka, we continually deliver hyper-contextual training to users. We connect security to employees. This connection is what drives security engagement and effectiveness.