Today’s organizations are investing in cybersecurity controls and technologies more than ever before. It’s easy to understand why. Data breaches and compliance fines aren’t just inconveniences in the modern world of business. They’re potential points of failure.
A wide scale security incident can completely erode customer trust and the bottom line, putting some organizations out of business. And yet, for all of the increasing investment in cybersecurity tools, data breaches continue to rise year after year.
The reason?
Human error. As Stanford research shows, 88% of data breaches stem from the accidental insider threat. Whether that’s an employee falling for a phishing attack, misconfiguring a cloud instance or using a simple password, employees are consistently the number one trigger for data leakage and misuse.
The problem with traditional security awareness training
To reduce the fallout of human error, organizations realize that they need to invest in cybersecurity awareness training. In most instances, though, this training fails to deliver a return on investment.
This is exemplified by research showing that only 9% of people who received training annually, quarterly, and monthly remember their training.
Whether you educate your employees through eLearning programs, annual “security away days”, or ‘lunch and learn’ sessions, opting for passive learning mechanisms will never result in the desired impact.
By ‘passive learning’, we mean training systems where the student is given information to ingest, without any real chance for dialogue, discussion or action.
Passive learning programs tend to share the below traits:
Irregular
Training programs are vital for educating employees about their pivotal role in safeguarding organizations from threats.
However, companies often view training as a mere compliance checkbox, aiming to appease regulators and suppliers rather than prioritizing its efficacy. Consequently, little effort is invested in crafting meaningful training experiences, with a focus solely on completion.
Furthermore, traditional training formats often disrupt employees’ workflow, particularly for those with high billable hourly rates.
Consequently, training sessions are typically infrequent, occurring yearly or quarterly, with limited emphasis placed on cybersecurity awareness beyond these scheduled events.
Unfortunately, irregular training rarely yields the desired result. As Harvard Business Review research shows, only 10% of employees remember training after a single session.
Disengaging
Many training programs are, quite simply, mundane, with lengthy sessions, outdated technology, unfriendly user interfaces, and impersonal messaging. It’s no wonder that research indicates that approximately one in five employees opts out of security training altogether.
Typically, security training involves nothing more than a series of hour-long videos that lack creativity and fail to capture the interest of participants. This monotony creates an unstimulating learning environment that ultimately discourages viewers from taking the content seriously or retaining it.
Impersonal
Security training often adopts a one-size-fits-all approach, offering identical content to all employees within an organization. However, it’s important to recognize that each employee holds unique roles and accesses different parts and systems within the organization.
This lack of personalization can result in confusion, information gaps, or an overload of irrelevant information based on individual responsibilities.
Furthermore, the failure to personalize training content means employees may struggle to comprehend how it relates to their specific roles and daily tasks, hindering their ability to implement security protocols effectively.
Introducing active learning
Passive learning essentially spouts information at the end user in the hopes they will retain it. As we’ve shown, this form of education is wholly ineffective at encouraging security-conscious behavior for the long term.
To truly mitigate the risks of employees falling for phishing attacks, sharing data inappropriately and breaching compliance mandates, organizations need to embrace a new approach, known as active learning.
With active learning, the training experience becomes part of the employee workflow. They learn about security “on the job” and in real-time instead of theoretically during a training session.
One example of active learning is the password strength meter, which often appears when signing up to a new website. These meters dynamically transition from red to green in accordance with the complexity of the password chosen.
Intrinsically, individuals want to aim for the green indicator, prompting them to create robust passwords. This is active learning in practice: leveraging behavioral science to encourage individuals towards making more secure choices.
In essence, an active learning training program directly combats all the issues that prevent training from being effective. Here’s how:
- Often: Active learning solutions deliver training as prompts and nudges within the employees workflow, including applications like Slack, ChatGPT and Microsoft Teams. These prompts appear throughout the workday in response to relevant actions and triggers.
- Relevant: Best-in-breed active learning solutions are contextually aware, delivering training prompts tailored to each user’s role and permissions to ensure relevance.
- Engaging: Instead of training being a one-way street, active learning facilitates a dialogue between the training solution and the employee, which dramatically improves engagement. Moreover, because training is delivered in “bite-sized” chunks of less than a minute, it is easier for the user to digest and understand the training segment.
What to look for in an active learning solution
Active learning is, undoubtedly, the future of cybersecurity awareness training. The rise in human error led breaches underscores that passive training approaches aren’t working.
With that in mind, here are the key features to look for in an active learning solution:
- Real-time, embedded training: For maximum impact, your active learning solution will deliver training when an employee attempts to violate a security policy. This method is proven to boost learning retention and reduce the likelihood of employees making the same mistakes over and over.
- ROI metrics: Being able to quantify security investments has long been a challenge for security teams, However, best-in-class active learning solutions are embedded with data analytics and capture employee risk scores’ overtime. As these scores reduce, you’ll be able to numerically show the benefit of your awareness program to stakeholders.
- Automated: Look for a solution that requires little manual intervention, allowing you and your team to focus on higher-value, strategic projects while the solution works autonomously on your behalf.
- DLP: Solutions like Polymer data loss prevention (DLP) combine active learning with AI-powered data loss prevention to educate employees on security conscious behaviors while mitigating the risks of data leakage and human error.
Ready to revolutionize security training outcomes? Find out more about Polymer DLP’s active learning solution today.