By Kristina Susac, Vice President of Berkley Executive Education
What do you do when you receive a promotional email that seems like the brand has incorrectly sent it to you? Delete it and move on, right? That’s because humans strive to spend as little time as possible consuming information that isn’t relevant to them. Unfortunately, these universal human traits are known and preyed upon by cybercriminals. Our brain’s “shorthand” makes users predictable and, thus, easily manipulated.
Information technology (IT), security and training departments must shift their approach to cybersecurity awareness training to improve their organization’s security posture — especially with increased hybrid and remote workers. With businesses of all sizes and industries experiencing large-scale breaches daily, it’s no secret that traditional, all-hands style security seminar training is not working.
Companies must make security education a daily experience for employees to improve knowledge retention and long-term user behavior. This is why many IT and security leaders are increasingly using a training concept centered around the delivery of contextualized longitudinal learning.
Creating a Cyber-immune Culture
Historically, enterprises have always viewed security as a technology or IT problem rather than a shared responsibility across the entire organization. But today, we know the top concern of forward-looking security leaders when it comes to fortifying organizations is combatting human error. This shift in old perceptions has helped business leaders understand that cybersecurity awareness and training are not the responsibility of one, siloed team. Cybersecurity is an organizational priority.
Organizations are trying to improve organizational security by holding workers more accountable for preventing data breaches. However, it is unrealistic to hold employees to this standard without equipping them with the knowledge and resources needed to identify and remediate sophisticated cyber threats. Employees will have an easier time accepting shared responsibility when feedback is directed at their actions and applies specifically to them.
Longitudinal learning draws on the principles of adult learning combined with modern technology to promote learning, retention, and knowledge transfer. This approach involves administering shorter assessments of specific content, such as medical knowledge, repeatedly over a period of time. Longitudinal learning is widely used across continuing and higher education organizations to ensure learners’ long-term success.
As humans respond best to contextualized, short-form learning, it’s time for business leaders to capitalize on this proven approach, which has been implemented for years in the education industry. To change human behavior, information must be relayed in nudges immediately after the risky action and consistently over time to be effective and produce accurate, measurable results.
Avoid Risky Behaviours With Longitudinal Learning
Just as highly sophisticated cyberattacks are evolving daily, security awareness coaching needs to reflect that same fluidity. The most effective security training programs operate like a cybersecurity GPS, keeping users on the right path and preventing them from engaging in risky behaviors that could put sensitive information in danger. It needs to fit seamlessly into its users’ workflows, evolve as employees’ aptitude progresses, and deliver information about zero-day threats and new hacking techniques.
When an individual receives direct feedback based on a specific, real-world action, they tend to have an “Aha” moment, helping them absorb and apply the lessons learned over time. It’s possible to break employees out of bad habits through consistent and persistent guidance. The goal is to create a personalized coaching program that inspires positive changes in user behavior. As this same method is applied consistently over months or even years, you can incorporate new skills and competencies over time.
To put it simply, a personalized, longitudinal learning approach is the only way to increase an organization’s cybersecurity culture. This method cultivates an environment where employees feel their time is respected, information is relevant, and educational content is presented in an empowering and encouraging tone (rather than as a “Gotcha!”). For employees, it creates a sense of successful progress toward the company’s broader security and protection. For the organization, it creates a measurable cybersecurity culture with buy-in from across the entire organization.