By Dr. Liz Herman | STC Associate Fellow
Picture the scene. You are looking at your computer screen. If you are lucky, the only sound is the soft click of the mouse button as you navigate because you muted the narration. As soon as the e-learning module allows, you move to the next page. You may be checking text messages on your phone while the e-learning page processes its content. You may switch to another screen on your computer and answer some emails, Google Chat with a colleague, or check out the STC Communities Slack workspace. Whatever you are doing, you are probably not paying full attention to the task at hand, which is completing your organization’s annual cybersecurity training. How many of us sit through rote cybersecurity training clicking the “Next” button without ingesting or retaining any of the content? If the average cost of a cybersecurity attack, according to the Global Application and Network Security Report, costs $1.7 million, how can we ensure that organizational cybersecurity training is meaningful, and its content retained?
Technical communicators play two roles related to cybersecurity training. The first role is that technical communicators often serve as training developers employed in the development of cybersecurity training. Although not explicit to cybersecurity training, forty-five percent of technical communicators responding to Saul Carliner and Yuan Chen’s Society of Technical Communication’s 2018 Census noted that they had produced training and tutorial materials in the past 12 months. We can assume that some of that training was likely around the annual cybersecurity training that gets deployed. The second role is that technical communicators, along with other organizational employees and contractors, are recipients of said training. In either role, the question of how to make the training more engaging and meaningful may be top of mind.
Current State of Cybersecurity Training
To discover the current state of cybersecurity training, the author interviewed two experienced training managers and initiated a survey to collect additional perspectives. When asked about cybersecurity training, Doris Tempelmeyer, a strategic, goal-oriented training manager with an eye for process improvement, answered, “Compliance training. Two words guaranteed to get an eye roll. Compliance training needs a reboot.” Cybersecurity training is often wrapped into what organizations call annual compliance training. Tempelmeyer listed the issues she sees with cybersecurity/compliance training: dry monologues, technical jargon, long and extraneous courses, and infrequency. Regarding the infrequency of the training, Tempelmeyer notes, “You don’t consume a year’s worth of vitamins in one meal, you take a daily dose.” A survey respondent who self-identified as a trainer and cybersecurity specialist echoes Tempelmeyer’s comments around infrequency. “I’m used to some pretty heavy-duty material. Training should be more frequent than once a year, it should be fully supported by management, and attendees should be tested on their comprehension and on their adherence to any key practices or policies.”
Nancy Workman, Senture, LLC Training Manager, who works with the author, shared that she thinks about this topic often. She wonders, “How do we make it stick?” Workman laments the one-size-fits-all approach. In her environment, deploying the same cybersecurity training to a facilities manager and a contact center supervisor is not ideal because of the different roles and responsibilities. She states that trainees are “probably missing out on information we need or we’re bored and tuning out to information we don’t. While there will definitely be many topics that will apply to all, they each have unique situations and environments.”
In a survey initiated in February 2021, the author collected responses by posting the survey URL on LinkedIn and Twitter. Forty-one individuals responded to the 12-question survey that asked about their engagement in cybersecurity training, their training design preferences, and their thoughts around how to improve this type of training. Results point to a needed overhaul:
- 39% rated their engagement during cybersecurity training as moderately to highly disengaged;
- 56% did not think that cybersecurity training helped them prevent cybersecurity attacks within their organization;
- 71% marked true that they navigate through cybersecurity training as fast as it allows them to finish; and
- 76% marked true that they find cybersecurity training to be largely repetitive and boring.
Regarding what design elements are preferred, respondents were less enthusiastic about text-based, narration-based, and gamified (e.g., treasure hunt activities) training modules. However, respondents also said they wanted more audio, video, and gamification. It may be beneficial for training developers to understand what works best for their specific organizational audience.
The open-ended questions asking about improvement yielded rich results for training developers. When asked how cybersecurity could be improved, respondents commented on frequency, duration, real-world examples, and training variety and design:
- “Offer it more frequently. We’re all potential victims!”
- “Send us training more often! We need it.”
- “It might be better to be spread out over several days. Like a daily tip for a week or similar. Grinding an hour or two at once is brutal.”
- “Try and rotate different delivery methods (e.g., one year it is online, the next year it is a group meeting, next year it is a workshop, etc.).”
- “More real-world examples of breaches and how they were done and the consequences.”
- “Real examples and consequences such as news stories or direct company impacts. Don’t try to be cute.”
- “My company gives the exact same training every year. Mixing things up could make it more interesting and engaging.”
- “Emphasize new best practices, deemphasize stuff we’ve already known for years (like don’t write down your passwords).”
- “Tell me what has changed since last year; give me things in action (action-based learning).”
- “Don’t make me click on 10 different boxes on one slide to get the info.”
- “Tell us something we don’t know. We’ve all had data breaches. Talk about risks of using the web while on work machines.”
When offered the chance to tell the training department how to improve cybersecurity training, survey respondents requested cheat sheets, reminders of key lessons learned, and to stop deploying the same material every year. One respondent noted how the current pandemic should reshape cybersecurity training. “Show how it impacts people at home as well as work. That way they can have good habits that carry back.” Another suggested that the training department slow users down by making them answer a question before moving on to new content to avoid the “clickety clack, don’t look back” approach to taking cybersecurity training, which is to get it over with and finish it as soon as possible. Another pleads to use specific company examples that will resonate with the trainees. “Use actual company examples instead of buying canned training that refers to ‘your company’ on every slide.”
Because cybersecurity training is sometimes developed or selected and deployed by the information technology (IT) department and not the training department, the survey included a question asking respondents what they would say specifically to IT about improving cybersecurity training. Survey respondents asked for an understanding of and focus around the biggest, specific risks that trainees may face. They also asked for role-specific training. “Different departments have different vulnerabilities. If I’m 100 percent onsite, I have different risks than the salesperson who’s on dodgy public Wi-Fi and using random flash drives.” One respondent asked for the internal cybersecurity team to deliver the training rather than using “monotonous and canned training videos.” They asked for IT to help them help themselves when it comes to cybersecurity. “Help me by integrating security features with the tools I use. For example, my IT department has updated our Microsoft Office tools to make it easy to add appropriate classification to every document.” Another simply stated, “Make sure the button to flag spam is in every version of Outlook installed for folks.”
Two respondents mentioned accessibility and diversity and inclusion. “Make it American Disability Act (ADA)-compliant by making sure graphics don’t cause seizures.” “Space out the quiz checks, provide a transcript or closed captioning, have speakers that are clearly understood, and videos that are culturally appropriate.”
Improving Cybersecurity Training
Survey results indicate a desire for better, more engaging cybersecurity training. What can training developers do to improve training? Tempelmeyer says, “People learn when they are motivated, not when mandated. To gain better interest, remove the task of Compliance Training from the legal advisers, IT team, and safety committee. Think like a marketing team. Customers buy experiences, not products.” Workman says, “Use scenario-based interactive activities. Make it personal to me. Challenge me to begin thinking about ways it [cybersecurity breaches] could happen to me. Finally, clearly communicate and stress the consequences. If I know and understand the devastating results on me, my team, our client, and my organization of failing to use security best practices and policies I am going to be more cautious.” Regarding making it personal, Tempelmeyer adds, “Frame the lessons with the employee as the hero in the story, not the victim. Make them the protector.”
Tempelmeyer provided specific actions to take to counter some of the most common issues:
- Dry monologue presentations. Impactful training needs to engage the learner’s mind. Long winded monologues, reading every slide verbatim is death by PowerPoint. Talk with the class, not at them. The delivery method is what causes people to learn. For improved engagement, implement High Impact, On Demand (HI-OD) assets such as audio/video, simulations, and conversations. Game simulation exercises are another great way to stimulate the production of endorphins in the learning process.
- Technical jargon. Technical talks are not conducive to the learning process. Effective communication is about the recipient, not the speaker. Know your audience and speak in terms that they understand. Use stories and analogies that are meaningful to the learner. Consider Federal Plain Language Guidelines.
- Infrequent. If you don’t use it, you lose it. Annual training is not habit forming. One of the best habits a learner can instill is self-quizzing to recalibrate their understanding. The forgetting curve hypothesizes the decline of memory retention in time. Retrieval Practice Activities (RPA) are routine exercises that aid in the retention of knowledge. Practice that is spaced out, interleaved with other learning, and varied produces better mastery, longer retention, and more versatility. The spacing of practice allows for forgetting, which requires effort to retrieve. The cycle of forgetting and reconsolidating knowledge further strengthens memory. In practice, this may look like a daily quiz question when you log into the system.
- Long, extraneous courses. Too much data pitched without pause. Lesson segmentation is needed. Microlearning involves short, focused learning (three to five minutes) designed to meet a specific learning outcome through routine, informal training. Again, a morning exercise is a great example.
- Accountability. If meaningful is the carrot, accountability is the stick. With most programs there is little accountability with failed compliance. What would happen if when you failed your morning quiz, you were locked out of the system and required to ask your supervisor for access to a retraining course? The positive reward side may involve public recognition of all teammates or departments who received perfect marks for the week.
According to Tempelmeyer, the bottom line with cybersecurity training is to sell it through meaningful, personal storylines; engage trainers via interactive learning and dialogue to communicate on their level; use segmented, microlearning lessons; and track learning with routine RPAs.
Is all cybersecurity training in need of improvement? No. Survey respondents mentioned that cybersecurity training did improve their awareness. “We are given periodic ‘tests’ where we get emails that are supposed to look like phishing emails to see how many employees will click a bad link. I feel like this has made me very aware of what to look for in emails that come through that I am not certain about.” Another respondent who self-identified as a member of the U.S. Military mentioned Ray Semko as delivering the best in-person training on the subject that they had ever received. For cybersecurity training that can benefit from an overhaul, this article provides some perspective and a place to begin.
LIZ HERMAN (firstname.lastname@example.org) is an STC Associate Fellow and a member of the STC Nominating Committee. She writes, speaks, and teaches on technical communication, project management, and knowledge management topics.
Carliner, Saul and Chen, Yuan. 2018. “Who Technical Communicators Are: A Summary of Demographics, Backgrounds, and Employment.”
Intercom 65, no. 8: 8-12. https://www.stc.org/intercom/2019/01/who-technical-communicators-are-a-summary-of-demographics-backgrounds-and-employment/.
Radware. 2020. Protecting What You Can’t See: Global Application & Network Security Report: Eliminating Security Blind Spots in an Age of Technological Change.” Accessed 21 May 2021. https://www.radware.com/ert-report-2020/.
Semko, Ray. n.d. “Ray Semko: The Dice Man.” Accessed 21 May 2021. https://raysemko.com/.
Society for Technical Communication. n.d. “STC Communities Slack Workspace.” Accessed 21 May 2021. https://www.stc.org/membership/slack/.