Mandatory training is rarely enjoyable in a modern enterprise environment. Visions of monotonous PowerPoints and jargon-laden tests instantly come to mind when you see the email, and IT security awareness training is (sadly) no different. Nonetheless, the integrity of digital assets is directly tied to users' ability to understand and apply the information you deliver in these training sessions.
With so much riding on the effectiveness of your training session, how can you make it less painful? More importantly, how can you get users more invested in their own security?
Know Your Audience
To optimize its impact, security training's first point of emphasis should be understanding the user. This can be likened to the way marketing campaigns are built, and while you wouldn't typically associate these very different departments, your goals are the same: to engage the audience and maximize retention of important material.
Marketing dedicates its time to matching each unique audience with an equally unique strategy. Similarly, understanding the demographics within your training groups will help you develop a strategy that allows them to resonate with the vulnerabilities already facing them. The point here is to focus your efforts on the specific interests of each training group. The more the members of that group have in common, the easier this will be. Once you've identified these commonalities, build a training strategy around them.
Have a group that's more inclined to read a newspaper than an RSS feed? Sticking to print materials will help keep things familiar and comfortable. Maybe your group is composed of frontend designers. Ensuring a visually stimulating environment — presentations included — will go a long way toward keeping their attention.
Engage Each User
As you design a training strategy based on these characteristics, keep in mind some universal aspects of user engagement. First, it's far more difficult to "zone out" when you're actively participating in the material. A recent study reported by Digital Book World highlights this idea in that only 30 percent of the data in oral presentations is retained. Compare that with 90 percent — the retention rate when the learner is an active part of the process.
This doesn't have to involve extravagant sessions held in stadiums complete with a keynote by Chris Wysopal; even the smallest changes in this area can make a huge difference. Using interactive media via mobile or tablet is a fantastic way to increase engagement. Free services like Kahoot, which make use of a user's own device for participation, allow you to administer casual testing in a fun and entertaining fashion. After all, there aren't many better ways to bolster engagement than simply having a good time.
Connect With Them
To truly drive home the importance of IT security awareness training, you must connect on a personal level. How? Not just drawing parallels between two-factor and enterprise success, but also personal involvement. Employees must firmly understand the critical part they play in protecting the sanctity of the pool of data they pull from every day.
A great way to illustrate this point — and encourage involvement — is to play a quick game of word association. Use phrases that encapsulate why IT security is important, and solicit on-the-fly responses in return. Win or lose, this exercise demonstrates the need for every individual to remain aware and communicate well as a team. It also exemplifies the notion that a single vulnerability, when exploited, can cause a domino effect throughout the environment.
Maximizing the effectiveness of IT security training boils down to two things: engaging the audience and helping them understand the importance of the role they play. With the above, you'll be well equipped to improve your next training session and ultimately create a more secure environment for everyone in it.