Thinking beyond compliance training

As creators of cyber security e-learning for many Government and corporate customers, Mindshift are 100% supportive of computer-based training.

When building a cyber security training and awareness program, we view CBT as necessary foundation training. 

Fortunately, in New Zealand, in our experience, businesses mostly do not view compliance training as a checkbox exercise, where the goal is simply to ensure that employees complete the training rather than to genuinely understand and apply the concepts.

Creating CBT is a big job 

Creating e-learning from scratch is no simple job though! Our experience shows it requires the bringing together of security, communications, and subject matter experts from across a business to identify human-centric cyber risks. 

 These may differ from team to team, and people may have conflicting priorities, so compiling a list of topics to cover in a 15-minute online training session can be challenging. 

When developing content for e-learning, we ask our clients- 

1. What are your biggest human risks? 

2.How do you know they are risks / what evidence do you have to prove your theory? 

3.What systems and processes do you have in place to help manage those risks, and  

4. What actions do you need your staff to take? 

Once the key risks and behavioral change requirement is understood, there is work to be done to ensure the business has the necessary support in place for people to receive further guidance and support. For example, if you ask people to tell you ASAP if they lose or damage their device but have several different emails and phone numbers for them to do this, then you’re asking a lot of people. 

Figure out the best business process, and make it happen while the CBT process is underway. 

The same goes for intranet content. Some may say that no-one reads “extra information” and that may be true, until the day they need to recall and do something and need to find out the steps or reasons why.  

You can’t ask new starters to do a compliance training swap in their first week and remember it all when the action comes. 

Why can CBT be seen as ineffective? 

With no teacher to talk to and ask questions, you can’t get important feedback or learn from other’s questions. 

 Many computer-based training programs rely heavily on passive learning, where users simply click through slides or watch generic content videos without much engagement. This passive approach often leads to low retention rates as learners may not fully absorb the material or find a connection between the content and their role or personal life. 

To learn something, people may feel they need to experience it. For example, telling people to set up a passphrase only has relevance when they physically pick up their phone and do it. They then need to think up a string of random words, stretching their own memory and brain to come up with something unique. Only then will they understand what a passphrase is. 

A person needs about 30 to 50 seconds to memorise a word. But you need to give the words about 6 to 12 exposures over a period of time to covert the knowledge into long-term memories. 

It is simply unrealistic to think that people will retain and put into practice everything you cover in security online training. Practice is the key word here; people must practice what they learn for it to sink it and become normal workplace behavior. 

The benefits of CBT 

Whilst CBT administered through a corporate learning management system (LMS) will certainly give you all the completion stats to please management and auditors, the improvement in security behaviors are largely unknown. 

How do you know how behaviors have improved, and cyber risks have reduced or are being better managed? When compiling content for CBT, consider the learning objectives and how you will measure behavioral change. This is not easy by the way! 

The beauty of developing a well thought-out, concise, and engaging security online training though is that you have a wonderful pot of content – both words and illustrations (possibly even video) to use for ongoing awareness.  

Ongoing cyber security awareness 

Therefore, supporting people with ongoing awareness is just as important as having foundational cyber security training. This diagram shows CBT as the foundational element of a cyber security training and awareness program, supported by a range (not all options are shown here) of awareness activities, most of which draw on the content developed for the CBT.