When developing training resources and materials for non-specialists, one of the things that can easily be forgotten by subject matter experts is that content alone is not enough. This is especially true in the area of information security – because, presenting facts and designing tests is just not enough – we need our colleagues to acquire skills. This (should) change the way we develop and deliver security awareness training.
Among other things, effective security awareness training requires an appreciation of the underlying psychology of learning and behavioural influencing. So when we develop security awareness training we need to think about how we are going to engage psychologically with our audience – both during and after the formal training session. Some concepts that need to be considered are:
- Social proof: is it obvious that this topic is being supported by the senior management. Does the training material include an appearance and endorsement from a member of the senior management team, preferably the CEO or a board director?
- Self-Efficacy: can participants see for themselves that they are really learning and growing their risk management skills. This means more than a multiple-choice question based on red flags in phishing emails – can the participant actually identify the red flags via an interactive session with an example phishing email
- Relevance: Is the participant receiving training that is related to information security issues that are relevant to your business, their job, data that they handle? Remember generic = bland = irrelevant = boring
- Priming: does your security awareness programme extend beyond the classroom (whether physical or e-learning)? To “make it stick” participants will need micro-sessions to ensure that that theory grey-cells are stimulated to mentally retrieve and practice critical threat recognition and response skills.
So, develop your content with the goal in mind.