Why User Experience Matters In Security Awareness Training

By Erich Kron, Security Awareness Advocate, KnowBe4 [ Join Cybersecurity Insiders ]
966

The human element is one of the biggest reasons why data breaches have risen in recent years. And even though most organizations have some level of security awareness training already in place, employees continue to fall prey to phishing attacks or are found guilty of not following security best practices. Only user training can definitively undermine social engineering and phishing scams. Unfortunately, most organizations tre security training as a mandatory check-box exercise without actually focusing on what its audience needs, wants, or expects out of training.

How Does User Experience Relate to Security Awareness Training?

User experience is the one and only true currency of cybersecurity awareness training (SAT) – it is that feeling, whether positive, negative, or indifferent, that employees get after every training session. This experience can have a direct impact on engagement, learning, attentiveness, and ‘virality’ – when employees voluntarily suggest training to their colleagues. A rich user experience can help shape the security mindset, behaviors, norms and attitudes across the organization.

What Elements Are Needed To Create A Good User Experience In Security Training?

Achieving a good user experience is not easy. It is a deliberate effort that requires meticulous attention to several components of training. Namely, active involvement from all stakeholders plus an ongoing process whereby training processes are continuously refined based on user feedback. Below are some elements that organizations must work on to improve the SAT user experience:

1. Content Quality: Content always matters in training. If your content is boring and monotonous or lacks context, relevance and creativity, then this will negatively impact the user experience. In contrast, organizations can practice storytelling, using recent and relevant examples pulled from daily headlines recounting massive data breaches and multi-million-dollar extortion settlements. Using tools that make the learning process more interactive and personalized can also significantly boost the training experience.

2. Training Frequency: If training sessions progress too long most people will get fatigued and stop paying attention. Moreover, employees tend to forget infrequent training. Therefore, it is advisable that organizations conduct training at regular intervals and shorten its duration. Employees will engage with the content with more interest and retain it better.

3. User-centric Design: Technology touchpoints such as having a user-friendly training portal, a seamless single sign-on function (that avoids making users re-enter credentials), automated workflows and reminders, a real-time view of employee training progress, and a simple browser button to report and quarantine phishing messages, can all significantly enhance the overall user experience.

4. Real-world Testing: Receiving textbook knowledge about cybersecurity threats and encountering a cybersecurity threat are two completely different things. Using phishing simulation tools, employees are subjected to mock phishing attacks in hopes they learn to identify these culprits and report them before they spread and cause harm to the organization. Simulated phishing exercises can also build confidence in handling real-world threats.

5. Positive Reinforcement: Employees are not cybersecurity experts. Many will find it hard to grasp security jargon. Organizations must exercise empathy, not reprimand or disrespect employees for making mistakes. Some employees may need one-on-one coaching. Recognizing these needs will help make employees feel more comfortable around security and the handling of incidents while bettering their training experience.

6. Flexibility: Employees also have a day job they need to finish. Trust employees to complete training on their own time and at their own pace without overly stressing them with tight deadlines. When employees have more flexibility for learning they are apt to be more receptive to understanding new procedures and concepts.

7. Games / Incentives: Who says training can’t be fun, collaborative, rewarding and motivating? To elevate the SAT user experience, security teams, with help from HR, can run promotions and contests between departments (e.g., which team detects the most phishing emails), offer generous freebies like t-shirts or coffee vouchers, highlight good security deeds at company meetings, and run other events from the HR/marketing playbook.

8. Communication / Feedback: Communication is a core ingredient for team collaboration. Clear and consistent communication from the top-down shows commitment from leadership for cybersecurity. Moreover, communication is never a one-way street. By establishing a feedback mechanism and making continuous improvements, employees feel heard and valued, which in turn can result in positive feelings and a good user experience.

Good user experience begins with an understanding of how people think and operate. Empathy, understanding, and feedback are important cornerstones. If organizations pay heed to these best practices when building their security awareness programs then they will not only deliver better learning outcomes but also foster a healthy security culture, one resilient against phishing and social engineering threats.

Ad

No posts to display