What is event-driven security awareness training?

Travis Good
February 25, 2022

We built training into Slack as a means of delivering content within the flow of work. The training we deliver is bite-sized and can be delivered all at once, typically at onboarding and on a regular cadence (ex: annually).

Delivery in Slack feels like training is a part of regular Slack conversation. A recent survey of over 200 Haekka users found 85% preferred training delivery in Slack over other platforms. With this reduced friction, Haekka customers see high completion rates in a fraction of the time. And, since we automate all of this, admins spend no time assigning training to groups or individuals.

The delivery of security awareness and privacy training in Slack addresses the job to be done (JTBD) of automating required training for audits like SOC 2 and HIPAA. We talk about Haekka as the *easy button for security awareness and privacy training* or *putting security awareness training on auto-pilot* because it’s simple for admins to manage and it’s easy for users to complete. This first iteration of Haekka was differentiated in the market because it was Slack-native, meaning all training was delivered in Slack.

The next iteration of Haekka training will be event-driven (EVDT). This new iteration addresses the same JTBD of required training as our first iteration but in a way that is differentiated from the rest of the market in how and when training is triggered and delivered to users. While Haekka and event-driven training can be used as the sole security awareness training vendor for a company, it can also succeed as a companion to existing vendors like KnowBe4, Curricula, Mimecast, and Wizer.

What is event-driven training?


Event-driven training can be described in three parts:

  1. A user event: an action an end-user takes within a SaaS app (Google Workspace, Zendesk, Salesforce, Hubspot, etc.).
  2. A trigger: a signal that is sent back to Haekka from said SaaS app (via API integration).
  3. A training: the resulting training that Haekka sends to the user based on their action (think bite-sized, singular, and self-containing messages in Slack).

Haekka integrates with SaaS apps like Google Workspace, Salesforce, and Zendesk to capture events and subscribe to triggers. Training based on these events is delivered to users in near real-time via Slack.

Use cases and examples:

  • A user shares a Google Drive file with public access.
  • A user exports a list of contacts from Salesforce.
  • A user opens a ticket with an IP address from the EU.
  • A user invites an external user to a Slack channel.

Additionally, Haekka is able to ascribe a risk determination to each triggered event. This risk can be aggregated to provide enhanced visibility and metrics around overall SaaS app risk. Haekka’s risk score provides admins with a singular critical target metric and clear ROI for acting on that metric.

Why event-driven training is needed

Companies today, on average, use over 250 SaaS apps. These apps are where work happens, and most employees have complete autonomy when it comes to app configuration and usage. Security teams cannot effectively assess or manage the risk from the use of these SaaS apps. Configuration management and single sign-on tools are not entirely effective at capturing or changing employee behavior in these apps.

Smart, hyper-contextualized training delivered to employees based on triggers in the flow of work captures, measures, and mitigates risk from these SaaS apps. Security leaders can use Haekka to get their arms around the risk from the myriad of SaaS apps in use at their companies and the flow of work from their remote and hybrid workforces in those SaaS apps.

How to implement event-driven training?

The reason we started with Slack was that we felt it was an ideal starting point to engage with users, not simply to send them training. Feedback from users confirms this. Slack training is better for engagement than traditional training. With Slack and Haekka, delivery is done.

Our implementation of EVDT relies heavily on integrations with SaaS app APIs. If you're familiar at all with APIs like Slack's, you'll know there are dozens of events to which you can subscribe. This provides a very clear picture of what a user is doing within an application. Events sent to Haekka are scored on a risk scale: no risk, low risk, medium risk, and high risk. Once the action's risk is determined, we then engage a user (aka: send them training in Slack) dynamically based on the tool, the risk, and the user’s past behavior (we don't just send the same users the same messages over and over for each action they take).

EVDT will also avoid alert fatigue by implementing granular controls to sleep or snooze notifications, as well as cool off periods.

The evolution of Haekka

Here’s the abbreviated evolution of Haekka.

  • Haekka 1 and 2: innovation and differentiation on delivery and consumption of training in the flow of work (in Slack).
  • Haekka 3: innovation and differentiation on the timing and intelligence of training in the flow of work (from events in SaaS apps).

If you’re interested in learning more about event-driven security awareness training or want to join our beta, we’d love to connect.