Knowledge Center

Bake Success Instead of Failure Into Your Cyber Security Awareness Training



Share on Facebook Share on Twitter Share on LinkedIn
Bake Success Instead of Failure Into Your Cyber Security Awareness Training

It's depressing but true: failure is baked right into the DNA of most cyber security awareness training.

Consider how cyber security awareness training is usually administered. During onboarding or soon afterwards, employees must participate in a lengthy security class — typically involving hours of material. That might happen in a classroom, delivered by an instructor with minimal interactivity and engagement, and often supported by daunting printed documentation. Or it might happen online, via drill videos resembling yesterday's worst PowerPoints, and relying on instructional techniques that just don't work.

Either way, employees must rapidly plow through large numbers of modules, in order to achieve "compliance." Compliance is obviously important. But it needs to be tightly connected to business value, enterprise security, and employees' personal motivations — and too often, those connections aren't made as well as they should be.

In many organizations, there's little follow-up after an employee's first exposure to cyber security awareness training. After that introduction, not much happens. At best, employers might get a "refresher" the following year, reminding them of all they've forgotten. This approach is almost certain to guarantee that your program fails.

As Will Thalheimer has shown, forgetfulness varies depending on the content topic and the individual study. However, much research suggests that people forget a great deal in a year. For example, Bahrick et al found forgetting rates of 19%-36% one year after instruction1. We also know that experiences perceived as having greater importance and relevance are more likely to be remembered — and that's especially an issue in cyber security awareness training, which often fails to give employees sufficient reasons not to forget.

Short, persistent bursts of cyber security awareness training help you build enterprise security

Your cyber security awareness training program will achieve better results if you're persistent. Keep coming back to your employees: don't try to get all your training out of the way in a single onboarding class or annual refresher session that demands hours of focused attention.

Teach in short bursts of no more than a few minutes. That way, you stay within the attention spans of actual employees in the real world, while still covering all they need to know over time.

"Chunk" what you're teaching to tightly focus each short burst of learning on a big idea in corporate cyber security. That helps learners integrate your message into long-term memory so they can actually use it to strengthen enterprise security. Then, immediately reinforce what you're teaching with an engaging, interactive activity and instant feedback. In other words, as Clark Quinn puts it, build learning experiences that are "small but complete."

Next, provide spacing between learning sessions — but not too much. According to one careful research study (Bahrick, Phelps, Roedinger), optimal recall occurred when retraining occurred at 30 day intervals2. And don't stop after you train once or twice: be persistent.

This approach is usually called microlearning. We know it's what employees want. But does it work — not in the laboratory, but to actually change employees' security behavior? Yes


We've found that employees who've engaged in Ataata cyber security awareness training are 115% more knowledgeable about corporate cyber security risk than non-Ataata peers, and 33% more likely to say they've changed a personal behavior in the past three months to become more secure.

For security awareness programs, not all microlearning is equal

Of course, short microlearning modules can be boring, irrelevant, and forgettable, too. Ataata training doesn't just work because it's quick and optimally spaced (though that's an indispensable foundation). It works because it's also funny and appealing. Because it tells stories, and humans are hardwired to love stories. And because it relies on recurring characters.

Your employees get to know their personalities, foibles, and travails, helping each video build on what's come before.

That's a deliberate strategy for building a holistic understanding of corporate cyber security in real-world context. It's designed to help people truly internalize how and why people make dumb mistakes, what happens when they do, and how to avoid it.

By watching people — not bullet points — your employees learn how to help build a stronger corporate cyber security culture. More to the point, as our clients tell us, they actually start wanting to.

Wouldn't it be great if your employees had both the knowledge and the desire to help your security team succeed? Making that happen is what we do.

Michael Madon
Michael Madon is CEO and co-founder of Ataata. From 2009-2014, he served as Deputy Assistant Secretary in the Office of Intelligence and Analysis of the Treasury Department. He was awarded the National Intelligence Distinguished Service Medal, the Intelligence Community's highest award; as well as a Bronze Star. View Profile

1 Bahrick, H. P., Bahrick, L. E., Bahrick, A. S., & Bahrick, P. E. (1993). Maintenance of foreign language vocabulary and the spacing effect. Psychological Science, 4, 316-321.;
2 Bahrick, Harry P., Elizabeth Phelps, and Roediger, Henry L. "Retention of Spanish Vocabulary Over 8 Years." Journal of Experimental Psychology: Learning, Memory, and Cognition 13, no. 2 (1987): 344-49.;