Cyber’s Not Boring… Your Training Is

“Don’t teach me anything, I don’t want to learn. You smell like canned soup.”

This is a quote by John Oliver when he famously interviewed the whistle blower Edward Snowden on his popular late night TV show Last Week Tonight. But it could just as easily be our end users talking about training cyber awareness.

Like all good comedians, Oliver taps into a truth we might not want to admit: “Cyber security is complex and difficult, and I don’t want to learn because I don’t understand.”

We’ve all been there…  drowning in mandatory cyber training which we must complete to meet whatever compliance standard is the flavour of the month. However, while organisations may invest countless hours and financial resources to ensure they can tick a box proving that have taken ‘the right steps’, few companies take the time to consider whether this approach is actually working.

THE REAL ISSUE: WHY PEOPLE DON’T ENGAGE IN CYBER SECURITY

The problem comes down to organisations not really understanding why people disengage with cyber in the first place.

Research shows that low levels of cyber security knowledge result in individuals failing to adopt necessary security measures and that awareness is key to adoption as highlighted by NIST Special Publication 800-16. Yet, despite the investment in phishing simulations, new studies from ETH Zurich, University of San Diego and the Karlsruhe Institute of Technology all question the effectiveness of phishing simulation to the point where even large tech companies like Google have taken notice. These studies point to phishing simulation yielding much poorer result than previously thought, some estimating their effectiveness to be as low as 2%.

So why aren’t these training methods effective?

THE PROBLEM WITH PUNISHMENT-BASED TRAINING

As far back as the 1950s, scientists have been pointing out that punishment is not an effective tool to change human behaviour in the long term. Yet many organisations still use a “stick” approach… hour-long training sessions, mandatory training videos, public call outs, and even disciplinary action.

This is a fundamentally flawed approach to learning. Yes, you might get employees to follow security protocols temporarily… but it’s not actually helping them to understand and internalise security best practices. As soon as the fear of punishment fades, old habits will return.

It also creates a culture of fear and distrust towards the cyber team. Feeling like cyber is a trap, rather than a learning opportunity can lead to resentment towards the team, complete avoidance of security learning, and an unwillingness to report security incidents for fear of repercussions.

Surely, it would make more sense to understand why someone clicked on a phishing email instead of berating them for it. Most security incidents don’t happen because an employee has maliciously decided to screw over the company. They more often occur because of a genuine mistake – perhaps the person was tired, they’ve had a bad day – or because phishing emails are designed to work. The people creating them are skilled social engineers. Focusing on blaming an individual rather than addressing the root cause does nothing to foster a security-first culture within an organisation.

In fact, it does the exact opposite. When employees fear punishment, they’re more likely to hide their mistakes, lie about incidents, or push the blame on to others. All this does is delay the security team’s ability to effectively respond to threats, perpetuate a culture that is unable (or worse, unwilling) to learn from mistakes, and create tension and distrust between individuals and departments.

The key to improving cyber security awareness isn’t fear… it’s confidence. Instead of making employees feel ashamed for making mistakes, organisations should focus on helping them believe they can improve.

If employees feel capable and empowered, they’re far more likely to engage with security training, apply what they learn and make better decisions in the future. Rather than punishing mistakes, we need to create training environments that build confidence, encourage curiosity, and reinforce positive behaviours – ultimately making security something employees want to get right, not something they’re afraid to get wrong. This is where self-efficacy comes in.

WHAT IS SELF-EFFICACY? AND WHY DOES IT MATTER?

Self-efficacy is the belief in your own ability to succeed (according to the man who first defined the term, Albert Bandura). If you don’t believe you can understand something, you’re far less likely to try. This is a common problem within IT and cyber security.

A study released by the University of Agder highlighted that self-efficacy was the biggest blocker to women entering the cyber security field. But this issue extends beyond gender – it affects everyone.

When looking at self-efficacy in relation to general IT skills, several studies dating back to the 80s (including the work of professor D.H Schunk who studied self-efficacy for over 3 decades) show that simply believing that you can work a computer is one of the biggest factors in whether you actually can work one. If you think back to veterans of our industry, a lot of them were self-taught, succeeding simply because their mentality was ‘’Fuck it! How hard could it be?!’’

But modern cyber security training rarely fosters that mindset – it often does the opposite, making people feel inadequate rather than empowered.

HOW TO BUILD SELF-EFFICACY IN CYBER SECURITY TRAINING

If we want employees to engage with cyber security, we need to boost their confidence. Research shows there are five key ways in which we create self-efficacy:

  • Mastery of Experiences: Experiencing success in a task is the most powerful way to improve self-efficacy. Completing tasks successfully, even small ones, builds confidence and reinforces the belief that one can succeed in similar tasks in the future. So we should be using training to help employees succeed in realistic cyber scenarios, not just test their capabilities.
  • Vicarious Learning: Which is observing others. When individuals see peers or role models succeed, they may develop the belief that they, too, can succeed if they make similar efforts. Security champions programmes can be a great way to introduce peer-led learning within your organisation.
  • Social Persuasion: Encouragement and positive feedback from others can enhance self-efficacy. Are you using the carrot or the stick?
  • Physiological and Emotional States: Is it an environment where people feel empowered, fun, social, happy? An engaging environment makes learning easier. No one retains information when they’re stressed or bored.
  • Setting Achievable Goals: You have to start somewhere, not everyone is coming from the same baseline of understanding. Your training should reflect that and be tailored to different skills levels

Most cyber security training, as it structured today, does not meet even two out of these five objectives.

Traditional phishing training is typically designed to catch people out, rather than help them improve. We see IT send out emails about “bonuses” or “holidays” in an attempt lure even the more tech-savvy individuals into clicking on a malicious link. This only serves to create negative associations with security, making people feel tricked rather than supported.

HOW DO YOU RETHINK YOUR CYBER SECURITY AWARENESS STRATEGY?

If you want to create an effective programme that drives the right behaviours, consider these three key points:

1. MAKE IT A POSITIVE EXPERIENCE

Think about how the recipient of the training is made to feel. How can you create an environment that is more positive? Does your culture allow employees to feel safe to make mistakes?  Is your training interactive, engaging, and fun?

2. BUILD CONFIDENCE, NOT FEAR

Cyber security shouldn’t feel like a test employees are destined to fail. You want people to leave with a sense of self belief. Make sure you are taking the time to explain the potential threats in a language that they understand, and leave employees with the confidence to take action.

3. FOCUS ON OUTCOMES, NOT JUST WARNINGS

Think about the outcome you are trying to drive. Yes, you want people to be vigilant, but you also want people to have the confidence to know what to do, even if they do make a mistake. Does your training empower them to respond effectively, or just make them paranoid?

THE FUTURE OF CYBER SECURITY TRAINING

In rethinking your cyber security awareness strategy, it is essential to move beyond traditional methods and consider innovative, engaging approaches. Think about incorporating gamification into your training, where employees can learn through interactive simulations and scenarios. This not only makes the training more enjoyable but also helps in retaining information better.

Most importantly, cultivate a culture where cyber security is seen not as a chore or a trap but as a collective responsibility and a fun challenge. Encourage open discussions, celebrate small victories, and provide continuous support and resources. By doing so, you are not just training your team; you are empowering them to become proactive defenders of your organisation’s digital assets.

In conclusion, to truly enhance your cyber security posture, it is crucial to explore alternative training methods that foster an environment of learning, confidence, and positivity. Only then can we hope to create a workforce that is not only vigilant, but also resilient and confident in the face of cyber threats.

Birgitte Skorge-Steen

Birgitte Skorge-Steen