Security Awareness Must Be Serious

We all know that security awareness training is a serious topic. After all, the amount of cyber attacks continue to grow because one of the biggest risks to our organizations, is our people.What we are looking to talk about today is how serious should your content be and how can you connect that content to your learners. After all security awareness is serious, right?

We work with organizations in many different industries including utilities, construction, retail, healthcare, you name it. Each industry has a different approach on what they are trying to protect, but the principals remain the same. We aim to help design a security awareness program that helps identify and educate on an organization’s biggest risks. Our goal is always to build a culture of security with the organization, not just for them.

Several months ago, our team was presenting our security awareness training program to a prospective organization and they were impressed with our innovative approach to security awareness training. After our follow-up call a week later, I was taken back by a comment that came up. The comment was, “Our executives decided not move forward with Curricula because it isn’t serious enough.”

I paused for a second and asked them to elaborate on the executive’s thought process regarding their decision. We hear decisions all the time based on budget, features, timing, etc. I get it, cyber security is a very serious topic in organizations today. Every day we see major breaches, attacks, and stories of companies being put out of business. It is no wonder that we are instilled with fear from the media about how important cyber security is and how devastating it can be for our businesses. Lucky for us there are a lot of great cyber security companies out there helping us defend against these threats with the latest and greatest technologies, security appliances, and software to protect against these ever evolving adversaries.

But when it comes to educating people about cyber security, we are humans, not machines. People don’t learn like machines. We have non-linear memories, limited resources, and a very short attention span. So let’s teach everyone about a very serious subject such as cyber security in the most serious way possible, right? Let’s put as much text as we can in our Powerpoint slides and force our people to try to memorize the text on those slides. That should work, shouldn’t it?

Just because something is serious, doesn’t mean it can’t be fun.

People connect to information in different ways through different mediums. We listen to the news, read books and magazines, talk with friends, watch online videos, talk in meetings, follow blogs, watch tv, interact on social media, and ultimately just try to absorb all this information and its meaning. From all of that data, we attempt to understand its purpose and how to apply it to our own lives. That seems like a lot to process!

So if we think about security awareness training in a way that can help us connect to security information and process it, why not make it fun? Why not make it memorable? Why are we limiting ourselves to the same old, boring processes to teach people? Why do we assume that cyber security education should be taught the same way machines learn? Lines and lines of code, interpreted by the machine, then processed to a predicted outcome.

So back to our original conversation, our response simply was “Just because something is serious, doesn’t mean it can’t be fun.” Everyone paused. The conversation ended and the organization continued back on its path of using heaps of text on hundreds of Powerpoint slides. So what went wrong? Well the decision explained here isn’t as uncommon as you think and typically applies to millions of organizations across the world.

Think about your favorite teacher or professor growing up. Chances are they were your favorite because you could relate somehow, someway to their content. You could understand the topic, subject, or exercise because dare I say, they made it fun. Think about the last time you were explained a new topic or concept from someone. Chances are the person explaining it, broke the concept down into a different point of view for you. Not only did it help explain the concept, but it also made it fun.

Fun means the experience itself should be enjoyable.

So what is fun? The concept of fun is a human sensation we have built in ourselves. Fun means that something is enjoyable or entertaining. Fun means the experience itself should be enjoyable. We all have different versions of what “fun” means to us. So think about, what makes something fun for you? It might be a change in perspective. It might be something new. It might be something you like. The point is to not confuse the concept of fun with the actual topic in discussion.

When you are building a security awareness program, think about different ways you can connect information to your learners. Think about what engages them. You might be surprised if you actually put in some effort to get this valuable feedback. Just because your cyber security experts have a PhD or technical certifications, doesn’t mean all of your learners will listen, understand, and retain knowledge from them. They might be experts in their field, but not expert instructional designers, educators, or communications marketers. Think about how to communicate information in a way your learners will understand and value in their own lives.

Security awareness training is a tough job and cyber security education is constantly evolving. If you come to the realization that your cyber security awareness program just isn’t doing its job, it may be time to rethink your approach. Just because something is fun, doesn’t mean it’s not serious. With just a little bit of thought and a focused effort, you can help improve your security awareness program. A fresh new approach might be all you need to help your learners understand cyber security, and have fun doing it.

If you need any advice or are simply looking for ideas to help turn around your security awareness program, reach out to Curricula, we would love to hear from you.