HOW TO MAKE SECURITY TRAINING EFFECTIVE
by Daniel J. Solove
Far too often, security training is so focused on saying the right things that it fails to get employees to do the right things. In many training programs I’ve seen, there is an obsession with making sure that every conceivably relevant point be said. Just because something is said doesn’t mean it is learned.
Training must be understood. Information is worthless unless people understand it.
Training must be remembered. If people don’t remember the training, then what’s the point?
Training must be followed. Many incidents aren’t due to people not knowing what they did was careless or wrong; they are due to people just not caring enough about doing the right thing.
As I said above, people don’t just need to be educated — they need to be motivated. Training must make people care. It isn’t effective to just throw a bunch of do’s and don’ts at employees. They need to understand why the rules matter.
People must be taught that information security is not just about protecting data; it’s about protecting people.
People should be taught that good information security practices can help them personally too. These are things that can protect themselves and their families from harm.
In my experience teaching online and offline, there are a few key tried-and-true techniques that make education effective:
Use Stories. Stories are much easier for people to remember. They engage people and make people more invested in learning the lessons.
Make an Emotional Connection. People need to understand why they should care. They need to understand the enormous consequences of a very small action, such as a careless click.
Use Interactivity. People learn better when education is interactive, when they are not just passively listening.
Use Humor. A little humor goes a long way to making people receptive and interested in the training.
Keep It Short. People have short attention spans and can only retain a limited amount of information. Focus on the most important things. If you overload people with information, they will learn less, not more.
Make It Frequent. The more frequently you can train, the better. Short periodic lessons are more effective than one long annual lesson. A series of short monthly or quarterly training programs might not be feasible at many organizations, so you can only do what is practical. But if you can train in periodic and short bursts, then this is generally more effective.
Make It Sticky and Memorable. Use vivid imagery and variation. Training must stick in the mind. I’ve seen many corporate training programs that are slick yet rather bland and non-memorable. They look good, but slickness isn’t very memorable. Many TV commercials are slick, but how many do you remember? You likely remember the ones that had something interesting about them, that were funny, or clever, or told a powerful story.
Among the most important things that security training should cover are: (1) contact the IT security with any questions or concerns; (2) report anything suspicious or any possible violation immediately. The more people ask and the sooner they report troublesome things, the better.
About Professor Solove and TeachPrivacy
This resource page was written by Professor Daniel J. Solove. Professor Solove is a law professor at George Washington University Law School and the leading expert on privacy and data security law. He has taught for 15 years, has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject. His LinkedIn blog has more than 970,000 followers. Click here for more information about Professor Solove.
TeachPrivacy provides privacy awareness training, security training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics. TeachPrivacy was founded by Professor Solove, who is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience.
Please Contact Us If You Are Interested In Security Training
We can provide you with a login so you can evaluate the programs. Click here for our catalog.