5 Strategies for Improving the Effectiveness of Your Awareness Program

5 Strategies for Improving the Effectiveness of Your Awareness Program

2

INTRODUCTION

If you’re reading this, you likely already have some sort of security or privacy awareness program in place at your organization. Congratulations! This means you’re not relying solely on technical solutions to address persistent and emerging threats to security and privacy. Awareness programs are a vital part of any security or privacy management effort, because they work. In their annual U.S. State of Cybercrime Survey, PricewaterhouseCoopers found that 42% of survey responders said awareness training for new employees had a hand in discouraging potential attacks.1

But now you’re looking for something to pump up your awareness program. Real employee behavioral change is what you’re after, and that means putting an even greater emphasis on the human element. How humans learn and process information and the best ways to get that information to stick. After all, your employees are ultimately the only things standing between your organization and a data breach or privacy policy violation. For example, The 2015 Verizon Data Breach Investigations Report found that people account for a full 90% of all security incidents.2 Whether it’s sending a confidential email to the wrong person, letting malware into your network, or simply losing their computer, humans hold the success of cybersecurity and privacy programs in their hands.

Your job is to make sure those hands know what they’re doing, and MediaPro is here to help. The more informed your employees are about protecting information, the safer your vital business information, and ultimately your bottom line, becomes. In this white paper, we’ll explore five strategies for improving the effectiveness of your awareness program.

of security

incidents

involve human

action.

-2015 Verizon Data Breach Investigations Report

90%

2 3

1. Make Sure It’s Relevant

In other words, don’t waste your employees’ time. Keeping your employees up to date on the latest in cybersecurity threats or privacy best practices is challenging enough without the training content you deploy working against you. Here we’ll introduce John Keller’s ARCS model of adult learning, which has proven to be particularly effective in the privacy and security awareness disciplines, as it lends itself to being systematically aligned to the essential aspects of a good awareness training program.

ARCS stands for Attention, Relevance, Confidence, and Satisfaction. Though all four principles are important, “relevance” is especially vital. The relevance principle states that adult learners more readily accept the information in training when they can see how it relates to their interests, job role, and personal objectives. If the content is helpful in accomplishing one’s personal or business goals, then the learner is more likely to be motivated. If not, your employees are less likely to retain the material.

Relevancy, then, improves the effectiveness of an awareness program by ensuring only content pertinent to an individual employee’s role or responsibilities is delivered to that employee. For example, an IT technician is not going to care about the privacy principle of safeguarding conversations with potential hires. However, this topic is entirely within the wheelhouse of HR personnel. Why make your IT staff sit through training that doesn’t matter to them? Delivering relevant content makes sure the right lessons get to the right people, your employees’ time isn’t wasted, and—most importantly—the lessons will stick.

2. Run Assessments Regularly

Ideally, you assessed employee knowledge before you implemented your awareness program. If not, the best time to do that is now. The most effective awareness programs take their strength from a clear understanding of what your employees don’t know. Because what they don’t know will come back to bite you!

Delivering relevant content

makes sure the right lessons get to

the right people, your employees’ time

isn’t wasted, and—most importantly—

the lessons will stick.””

When it comes to both understanding the risks you face and then measuring the success of your security or privacy awareness program in addressing those risks, you need data. You want to be able to quantify the baseline knowledge and behavior of your employees at the start of your program, and you want to know if

the education you provide to them has made an impact. You want to be able to answer the question: “Has this program led to behavior change?” Assessments, then, should come early and relatively often throughout your awareness program.

Assessments can take the form of surveys sent out to your employees before and after training implementation. Phishing email simulations and other simulate social engineering attacks (such as leaving an unmarked USB drive in a common work space to see if employees take the bait) are also great ways to test the knowledge of your employees. If you’re able to integrate some of the new use behavioral analytics tools (UBA) into your IT infrastructure, you may even be able to assess real user behavior and address it with just-in-time training. Data regularly accumulated from such measures—whether simulated phishing programs, surveys, or UBA tools—can be used to make improvements to your awareness program. Are your employees great at avoiding phishing email attempts, but not so great at physical social engineering attacks? Assessments like these can tell you, and you can adjust your training accordingly.

Knowledge is indeed power, but as “How to Win Friends and Influence People” author Dale Carnegie said, only if it is applied.

3. Adapt to Survive

“Adapt to survive” is more than just a catchy phrase. Whether in the fields of security or privacy, the landscape is changing almost constantly. New security threats, shifting privacy regulations, and myriad other factors all combine to make an adaptive awareness program worth its weight in gold. By adaptive, we mean a program that is predictive of risks, can continuously be improved upon, and that becomes part of the organizational culture through constant reinforcement (more on reinforcement later).

The most effective awareness

programs take their strength from

a clear understanding of what your

employees don’t know.”

”4

A key attribute of an effectiveness awareness is the ability to adapt to emerging threats of all types. An awareness program should be built to allow the addition of new educational content quickly and easily. A flexible awareness program framework that allows for simple yet powerful training course customization is essential to achieving this goal.

Adaptive also means the ability to continually analyze and improve content even without the sudden emergence of new security threats or changing privacy regulations. We’ve discussed the importance of regular assessments, and the goal of these assessments meshes perfectly with the ability to be adaptive. As the knowledge level of your employees changes, so must the content you deliver. Those who adapt, survive.

4. Call in the Reinforcements Relevant training based on regular assessments is an essential component of an effective security or privacy awareness program, but it’s rarely sufficient on its own to bring about real behavior change. Simply teaching someone how to do something once does not create a habit. A habit is something you practice, and it must be constantly reinforced. Security-

and privacy-aware behaviors must be fostered the very same way; like a muscle you hope to grow and develop.

Moreover, sound security and privacy practices are simply too important to get lost among the thousands of other messages your

employees are regularly exposed to. You’ll have competition for employees’ attention, which is why it’s so important to use high-impact, high-interest reinforcement material to gain that attention.

An adaptive program is

predictive of risks, can continuously

be improved upon, and becomes part

of the organizational culture through

constant reinforcement.”

”4 5

Simply teaching someone how to

do something once does not create a

habit. ”

”

But what does effective reinforcement look like? A good place to start is with the notion of “effective frequency”—an advertising industry term that applies perfectly to the reinforcement context. It refers to the number of exposures to an advertising message that are required to achieve “effective” communication. The actual number of repetitions has been quoted at three, seven, even 20, but suffice to say that effective communications require more than one impression delivered via multiple channels.

Additionally, reinforcement works best when it is delivered in creative, resourceful, and fun ways, and when the message varies over time. To this end, a good security or privacy awareness provider will maintain a library of reinforcement content that is deep and wide. Such a library will ideally include, but is not limited to, animations, posters, and games. This medley of tools and messages must also exhibit strong alignment with the foundational training—the primary learning you are seeking to reinforce.

5. Train and Reinforce All Year Round

Imagine if education were based on spending an hour or less on a topic, followed by an ever-present threat that you could be tested on this topic at any time over the next year. Think of trying to learn all the elements on the periodic table in a single, short cram session. After your time is up, your teacher tells you to leave for the day. But, she tells you she’ll call you back a handful of times within the next year to test you on what you’ve learned.

Sounds pretty rough, doesn’t it? Well, with security or privacy awareness training that only happens once a year, that’s what you’re subjecting your employees to. Your employees face cybersecurity threats and challenges to their privacy practices knowledge on a daily basis. A

few hours of education on the dangers of phishing emails, for example, or protecting personal health information might not be enough.

This is where year-round training and reinforcement comes in. With data from regular knowledge assessments in hand, you can deploy additional training or carefully selected reinforcement materials to cement your security or privacy lessons with

With data from regular

knowledge assessments in hand,

you can deploy additional training

or carefully selected reinforcement

materials to cement your security or

privacy lessons with your employees

on a need-to-know basis.”

”

6

your employees on a need-to-know basis. Multiple educational theories differ on the exact number of repetitions needed for a lesson to stick with the learner. However, as discussed earlier, repetition is key to convincing your employees that keeping security and privacy top of mind is essential to the health and wealth of the company—and that when it comes to these two topics, what they do really matters. That’s your message, and it bears repeating. Often.

Conclusion

To summarize, five key strategies for improving awareness program effectiveness are:

• Ensuring the training content is relevant for different segments of employees

• Assessing employee knowledge effectively and using this data to alter training content and messaging as needed

• Maintaining the ability to quickly adapt to emerging threats, new regulations, and shifting employee knowledge

• Reinforcing key training topics regularly through a variety of means

• Developing year-round training and reinforcement strategies

As with all self-improvement goals, consistent improvement is more important than changing things as quickly as possible. These strategies do not need to be deployed immediately, nor do they need to be deployed all at once. However, a more effective security or privacy awareness program, no matter your starting point, should be your goal. And your organization will thank you for it.

Want to see how all these strategies can be rolled into a single, robust awareness program? Contact us today or schedule a demo to learn how MediaPro’s Adaptive Awareness Framework can bring your awareness program to the next level.

6 7

As with all self-improvement

goals, consistent improvement is more

important than changing things as

quickly as possible. ””

CONTACT US FOR MORE INFORMATION

About MediaPro

MediaPro creates engaging e-Learning experiences that transform behavior, improve performance, and achieve business results. We offer a suite of security awareness, privacy awareness, and compliance tools and services that are used by the most risk-aware companies in the world. We deliver award-winning awareness training courseware, reinforcement resources, and a cloud-based LMS solution.

For more than two decades, MediaPro has been helping enterprises of all kinds improve the professional performance of their people. We’re passionate about our work in adult learning, and it shows in the quality of our courses, the delight of our clients, and in our industry recognition.

Sources:

1. 2014 U.S. State of Cybercrime Survey, PriceWaterHouseCooper

2. 2015 Verizion Data Breach Investigations Report, Verizon Enterprise

8