D’ohs and Dons of Cyber Security Training (2/2) — the Seven Dons
I felt we may have been driving ordinary people and employees away from security and I listed my Doh’s of Cyber Security Training in the previous blog. How could we be more like Dons and take pride in educating people, and believe in the students? Here are my seven Dons of Cyber Security Training to get started. These “Dons” are my ideal teachers and talents (from French) to look for in them.
Our students are, we believe, crème de la crème. The trouble is that they have been let down by the ‘system’ before they came to us.” — It’s a Don’s Life by Mary Beard
Don #1 — Administer in small doses
What if the course would feel like taking a short positive break from work?
Online security courses prevent employees from achieving their daily goals. Even if they would like to learn, the stress from not finishing work can take over and ruin an otherwise good experience. If you administer content in small doses, the stress of “not completing work” is thrown out of the window. Now your message has a much better chance of getting through.
Don #2 — Be casual on every level
We want to get rid of the impression that cyber security is somebody else’s problem.
You may have heard the “I’m not a target” argument. It makes more sense if you check out the infosec news. Faceless corporations falling victim, spies taking over government networks and foreign hackers just waiting to press enter to stop whole countries. Yes, these are important too, but not relatable to the problems that ordinary people have.
People need to hear about mundane every-day trouble caused by ordinary criminals and scammers. On that front, Finnish broadcasting company YLE did a great job with their “Digitally scammed” TV-series. (Unfortunately, it is encrypted with Finnish.) Drop me a note if you know similar English content.
Then there is “Team Whack” docuseries, which demystifies how hackers operate. Forget those state-sponsored military-grade hackers for a moment and check out Benjamin, who climbs a bit too high to find some computers from the trash.
“Forget those state-sponsored military-grade hackers for a moment.”
Don #3 — Be FuRious (Fun but Serious)
The topics are serious enough, let’s not make it worse.
As the topics are serious and even scary, let’s not make them worse by amplifying the scary parts ourselves. Also, let’s not be too clinical about the topics. Emotions are needed to keep the material engaging, but there are other emotions to invoke besides fear.
Here is a perfect example of the FuRious approach, by Derek Muller, a.k.a Veritasium on YouTube. Climate change is a topic that can get boring fast when you get to the important details. He explains a lot in seven minutes. To make it more entertaining, he included a “Youtuber”-version of himself to bring up the typical counter-arguments.
Here is my FuRious-example. I once flipped a full 180° on ice while I was recording an intro for our security course participants. I decided to keep that part in. It became a nice ice-breaker for the following online session we had later on.
Don #4 — Get personal
Want more than two minutes of people’s attention? You need to be useful.
So it turns out that besides online security and privacy, people also have other things to worry about. How long do you think they want to pay attention to your topic? I’d give it max a few minutes if you are just pushing your own agenda to them. Let’s draw some inspiration from a methodology called solution sales.
Solution sales is a common methodology in business-to-business sales. In solution sales, you don’t just fire a broadside of your product’s features at your potential customer. You figure out what their pain points are and how your product can solve them.
Talk to some of your audience, preferably those you never thought you’d talk to about security. What do they think about security? What kind of reasoning do they have for doing or not doing something related to security? Is that reasoning solid?
Our “cyber attacks are like germs” topic came up after talking to a bunch of people. Some of them said they are not a target of cyber criminals. In reality, your average online criminal just sprays their attacks as widely as possible.
Don #5 — Keep up with the dialog
You got some great feedback in advance from the previous step, great! Don’t stop there. If you can embed dialog in the training, all the better. You’ll learn all the time, and your students will be much more interested in the content.
If you are in a situation where you can only do a one-directional webinar, proceed with caution. Too many might just multitask their time through the webinar and forget most of what was said. Remember the “administer in small doses”. Do coffee-break sized sessions. Long enough to handle one, and only one, topic, but short enough that nobody has time to distract themselves. :) Rinse and repeat with different topics.
Don #6 — Let people think for themselves
Most courses have some sort of quiz at the end. I’ve done a few and I’m not a huge fan. Do you remember my friend from my previous blog? I also had to help him with one answer, and my tip was: “option D sounds least wrong”. It is no wonder that my friend just wanted to pass the quiz. Thinking and reflecting the material was not on the table at all.
Ask questions, but if possible, let the participant think for themselves. Ask more open-ended questions and let people reflect on their own lives. “Why security is important for you?”, “What devices you have at home which could leak your personal information?”. And so on. This approach was also inspired by the solution sales methodology.
Don #7 — Close the gap from social distancing
Online live sessions work, if you alter your approach. Reduce the group size and length, and increase interaction.
We’ve found that groups with around six people are pretty ideal for fun and interactive sessions. Rather do three one-hour sessions with six people each, than a three-hour session with 18 people. Or do interactive versions with the most security-critical personnel and use more scalable methods for the rest. As a nice side effect, you are forced to cut the fat from your content. :)
These types of sessions have been a blast for us, and the feedback from the participants has been great. I’ve never heard someone ask for more after a three-hour session in a classroom setting. Now, after several shorter and online-versions, I’ve had several “can we get more of these” questions at the end of the session.
Accelerate the change towards human-centric training
When we stop preaching and start helping people, people take interest and feel they are being helped. We have laid the groundwork for scaling our efforts. How to go forward from here?
Companies have an incentive to help employees
Companies have incentive to help employees, as most attacks target their employees. If you are a CISOs or CSO, make sure your company’s (good) training materials are online, and available for everyone. Measure the interest and adjust your message over time. And don’t forget new employees, onboarding is a great place to introduce good cyber hygiene habits for employees.
Now that we are human-centric, HR can also join the party. You can improve the lives of the company’s workforce, while making the workplace safer for everyone. Less employee churn and more secure working place.
Individuals are great influencers
Most importantly, individuals, learners and trainers, are the stars of the show. Take InfoSecSherpa for example. An ex-librarian, current “Cyber Analyst SOC Sherpa”, who wants hackers to talk more with librarians, and tells them how to do it.
Train the challengers, or challenge the trainers and put your new skills into practice. Don’t forget to tell your co-workers, friends and family about what you have learned. Enjoy the next security training you are going to make or take! Break stereotypes: talk to people, especially security pros and trainers. Show that you care about security and tell us how we can improve our game.
This was my seven Dons of Cyber Security Training for the ordinary people. I’ve seen the light, and I hope you will too. I believe people will start practicing cyber hygiene the same way we brush our teeth and was our hands.
Did you like this article? Ping me on LinkedIn or Twitter, I’d love to meet more people who want to crack the challenges related to employee training.
