Dare to Have Fun! Alleviate the Pain Points of Cyber Security Awareness Training

You know it and we know it: Security awareness training doesn’t have the best reputation Many employees who are required to undergo security awareness training do so under the direction of human resources or a risk and compliance department within their company. Trainings have long been conducted via static PowerPoint presentations, lecture-based talks, online “tutorials”, and through other passive methods that don’t result in the employee retaining much of anything. It merely becomes a box employees check off on their requirements sheet and they move on.

This is not the way cyber security awareness training should be implemented. We know that current trainings like this are ineffective in helping employees learn cyber best practices or, more importantly, change their online behavior for the better. The “learning pyramid”, sometimes referred to as the “cone of learning”, developed by the National Training Laboratory, suggests that most learners only remember about 10% of what they read from textbooks. Whereas, retention is improved when gamification is incorporated into training and learning activities. In fact, according to Talent LMS, 89% of employees believe they’d be more productive if their work was more gamified.

Photo by Zachary Nelson on Unsplash

 

Don’t believe us? Take a peek at the recent news headlines and industry reports that show human error is still a primary contributor and cause significant company breaches. Employees aren’t empowered with the knowledge to know what to look for in suspicious emails or phone calls, resulting in higher cyber risk for organizations.

And that’s only a few of many incidents that indicate the need to foster more effective security awareness training to truly change digital behavior.

Pain Points of Traditional Security Awareness Training

  1. Actually changing —Getting an employee to go through security awareness training is one thing but actually changing their behavior is another challenge all its own. Training can’t be a ‘one and done’ effort. It must be engaging enough for people to retain learned information so they can recall it when faced with a cyber threat. To do this, security awareness training must have a ‘what’s in it for me?’ component otherwise, there’s no incentive for an employee to do the training at all. Teaching elements like scoring, competition, badges, levels, and ‘digital rewards’ help engage employees so they take training off the ‘must do list’ and onto the ‘want to do list.’
  2. Convincing employees it directly impacts them—If you’ve never been in a car accident, you may be inclined to drive a little faster on the highway, not thinking twice about the repercussions because “an accident will never happen to you.” Wrong. Just because your company may not have been breached (yet) doesn’t mean you’re immune to security awareness training. Unfortunately, the daily onslaught of company breaches making news headlines indicate that the ‘we don’t need security awareness training’ thinking is not only outdated but will leave your organization more vulnerable to an attack. Everyone needs security awareness training if they do any kind of work on an electronic device (whether computer, phone, internet-connected system, etc.)
  3. Perceived protection from technology—It’s quite common to presume that today’s technology has ‘built-in’ security to protect against hackers, and while some devices do offer limited protection, it’s not enough. With as fast as technology is advancing, there’s always a gap in security waiting to be exploited. Spam filters, antivirus software, and firewalls are great, but hackers know the easiest way to get sensitive data and cause disruption is by going through people first. A multi-layered security strategy that places people at the forefront of defense is critical to hardening posture from all angles.

Empower Employees with Fun Security Awareness Learning

Just because the industry has typically conducted security awareness training in a passive manner in the past, doesn’t mean it works—and it certainly doesn’t mean that we have to keep doing it. So let’s flip the script on security awareness training shall we?

We recently debuted inCyt, a security awareness learning tool, at RSA this year. It is an evolving solution designed for non-technical employees to learn cyber foundations and improve online workplace practices. In it, we dare to have fun with security awareness training by simplifying and gamifying the complexity of cyber. We expand the understanding of the threat landscape to non-technical employees who work on business systems by introducing basic concepts through the mind of a hacker. THEN the player is encouraged to demonstrate their learned knowledge in a “final” lesson where the player defends their digital assets from a bot hacker. Games are designed around the cyber attack sequence that outlines the structure of an online threat.

inCyt on a laptop computer

Players with limited cyber knowledge learn basic concepts through cyber themed battles against a bot attacker and the learning becomes ‘sticky’ as information is retained because it’s engaging. Colorful characters, friendly competition, and relevant cyber examples improve security awareness aptitude.

inCyt currently teaches the following security foundations with more on the way!

Phishing & Email Security

  • Understand what phishing is.
  • Understand the impacts of phishing.
  • Identify common indicators of phishing attempts.
  • Identify appropriate countermeasures related to phishing.

Online Safety

  • Understand the risks associated with public internet.
  • Identify proper safety precautions when online shopping.
  • Understand the impact of what and when you post online.

Password Security

  • Understand the importance of strong passwords.
  • Identify best practices when creating passwords.
  • Understand multi-factor authentication.

Future game topics and themes will include: Social Media, Least Privilege, Remote Work / Bring Your Own Device (BYOD), Computer & Software Updates, Response to Potential Attack, Data Value, Preservation & Recovery.

So what do you think? Is it time to change up your security awareness training approach? Perhaps try something new to augment the most vulnerable attack element in your organization: your people.

Schedule a demo of inCyt today to learn more.

 

Photo by Zachary Nelson on Unsplash
Photo by Jason Leung on Unsplash

Human Resources Takes on Cyber Readiness: How to Mitigate Cyber Risks with Security Awareness Training

Every year hackers come out of the woodwork to target various companies, specifically around the holiday season. In fact, cyber attacks are estimated to increase by as much as 50 – 60% over the holidays. With staff often spread thin and consumers taking advantage of online shopping and banking for added convenience, the timing is perfect for HR professionals to stay vigilant with how they onboard new employees with cyber education while encouraging good cyber hygiene among existing colleagues. Understanding the risks employees come across while online, how to train them to detect and mitigate these risks, and how you as an HR manager can ensure continued efforts to harden security posture will make you a cyber safety hero this holiday season!

While IT and cyber professionals are primarily responsible for securing a company’s networks and ensuring teams are up to snuff, the reality is that cyber risk extends beyond what occurs in the server room. Human error continues to be one of the top reasons cyber attacks are successful. This means that not only do security teams need to be trained, but cyber training across every department, with every employee who works on a computer, is essential to obtain and maintain good cyber hygiene across the company. If every employee in your organization understands how their actions can impact overall company security, more personal responsibility will be taken to maintain cyber safety.

Don’t fret! HR professionals need not be masters in cyber security. There are great tools out there to help anyone learn the basics and be able to share their foundational learning with others. So, what are some of the things you can learn and train employees on to mitigate attacks?

  • Phishing emails – With inboxes flooded daily, it can be hard to spot potential threats in emails. Hackers send targeted emails that may address a work-related matter from a co-worker or manager. One click on the wrong email, and you could be infecting your business device with malware. It is important every employee understand what suspicious emails “look” like and how to avoid nefarious click bait.
  • Using company devices for personal work – It’s an easy thing to do – grab a work device off the counter and start online shopping, emailing friends and family, or finally getting around to baking that chocolate chip cookie recipe from Martha Stewart. However, accessing un-secured sites and opening personal, and potentially phishing, emails on a work computer puts companies at risk. As an HR manager, you must recognize this common occurrence and be able to speak to it with your staff. If a hacker is able to gain access to a business computer through an employee’s personal use, they gain access to all of the company information on that employee’s device as well.
  • Using personal devices to conduct business – The same can be said for using personal devices to conduct business. It can be difficult to “turn off” after work hours and many employees answer some work emails on their cell phone, or load a work document on his/her personal tablet or laptop. When company staff access potentially sensitive business documents on their personal device, they risk leaking that information to a hacker. To prevent attacks company-wide, HR pros must be aware of how often this type of behavior occurs and work closely with their IT department to learn how company networks are secured when remote access is granted to employees outside of home and work IP addresses.

HR managers: Spread good cyber hygiene!

Security awareness training is becoming increasingly prevalent at companies that know what it takes to have good cyber hygiene. According to a recent report by Infosec, about 53% of U.S companies have some form of security awareness training in place. While this is still barely over half, it’s a start. So what can you do to rank among companies leading the charge in cyber security?

  • Offer continuous training – Cyber security awareness training is not a “one and done” event. This kind of training should continue throughout the year, at all levels of an organization, and be specific to different job roles within the company. Technology is always changing, which means the threatscape is too. When you are battling a constantly shifting enemy, your employees need to be vigilantly trained to understand each shift.
  • Perform “live fire” training exercisesLive fire exercises (LFX) happen when users undergo a simulated cyber attack specific to their job or industry. One example is having your IT department send out a phishing email. See how many people click on it and show them how easily they could have been hacked. This data can be used to show progress, tailor problem areas, and train to specific threats as needed.
  • Stress the importance of security at work and at home – Showing employees the benefit of cyber awareness in the workplace translates to awareness at home as well. Help prospective and existing employees gain a wide breadth of understanding about cyber best practices by making learning approachable instead of unattainable or intimidating.
  • Reward good cyber hygiene – Reward employees who find malicious emails or other threats with your company’s IT team and share success stories of how employees helped thwart security issues with vigilant “eyes” on suspicious activity. Equally, it is important to also empathize with employees who make mistakes and give them the tools to learn from their mistakes. Many employees receive hundreds of emails each day, and while training tips and education are helpful tools, it is not a perfect solution.

Training employees to be cyber aware can be difficult unless a structured program and management strategy is in place. We’re here to help! Circadence’s security awareness platform, inCyt, is coming soon! inCyt allows employees to compete in cyber-themed battles and empowers them to understand professional and personal cyber responsibility. By cultivating safe cyber practices in virtual environments, HR managers can increase security awareness and reduce risks to the business.

To learn more and stay in the know for upcoming product launches, visit www.circadence.com

Photo by Austin Distel on Unsplash

Photo by Alex Kotliarskyi on Unsplash

Living Our Mission: Learning is Built into Project Ares, Thanks to Victoria Bowen, Instructional Designer at Circadence

Victoria Bowen has worked in the instructional design field for about 35 years – primarily developing e-learning with a smattering of web development, SharePoint development, and Learning Management System administration. She holds an undergrad degree is in psychology, a master’s in special education, and doctorate in curriculum, instruction, and supervision with emphasis on instructional design.  What that means is that she knows how people learn and what aids and interferes with learning in training products. Victoria worked an IT security services company and then transitioned to a training role with the Air Force’s Cyberspace Vulnerability Assessment/Hunter (CVAH) weapon system. “I was responsible for the training database and the app store for several versions of CVAH.  I also developed user guides and training materials,” she said. Victoria served in that role for about nine months before joining the Circadence team.

Since September 2013, Victoria’s main job as an instructional designer has been to analyze training needs for Circadence products. She helps assess target audiences for Circadence products to determine learning goals and objectives for the product designers. She establishes the behaviors that a user would be assessed against, after engaging with the product, to ensure learning has occurred. Victoria also suggests ways to evaluate those behaviors to optimize product utility. In doing so, she prepares training outlines and documentation and writes content development processes and learning paths. Mapping Job Qualification Requirements (JQRs) tasks to training tasks is a regular function of Victoria’s job alongside mapping National Institute of Standards and Technology (NIST) standards to training tasks. She ensures the core skills addressed in our curriculum creation tool Orion™ align to defined NIST standards.

Applying instructional design theory to new technology

What keeps Victoria returning to her desk every day is the challenge of learning and applying instructional design theory to cutting edge training technology. Although the old rules still apply, Circadence is leading the way in developing new rules and research on how learning happens and best practices for simulations like Project Ares®. We know a lot about constructivism as an underlying theory, but to apply it gaming environments like Project Ares is new and fascinating,” she says.

The challenge of applying theory to technology is complicated by the fact that new books about instructional design and cognitive analysis and processing are published frequently. And there are new online articles every month. Also, there is a growing emphasis on instructional analysis before beginning training development projects, so there is a growing emphasis on analytical skills for instructional designers. These skills help us design the right training, just enough training, and just in time training for learners.

“Ensuring we are constructing an environment in which the player is constantly learning, not just performing a task or activity is essential.  We need the player to understand the what, when, how, and why related to the tasks they perform in the environment.  For deeper learner and better retrieval from long term memory, we also need the player to understand how their tasks relate to each other.” Victoria says. “Furthermore,” she adds, “we want the player’s understanding and performance to progress from novice to intermediate to expert. That doesn’t happen just by repetition. There must be instruction too.”

Instructional design within Project Ares

For the Project Ares Battle Rooms and Missions, Victoria collaborates with cyber security subject matter experts to write the learning objectives and assessment criteria, provide role-based learning content outlines, identify gaps and redundancies in content, and review product design to ensure high quality instructional design aspects. For inCyt™, she’s written the scripts for several of the cyber security lessons. Finally, Victoria also reviews and identifies instructional design issues such as scrolling text and text display not controlled by the user, “both of which interfere with cognitive processing by the user and adversely affect transfer from short term to long term memory,” she adds.

“I have a different challenge every day and I like challenges. I’m also fascinated by cyber security and enjoy learning more about it every day. Instructional research has consistently supported that interactivity is the most important component of instruction regardless of delivery method. We have a very interactive environment and that’s great for retention and transfer of learning to real world application.”

Victoria’s passion for intelligent learning systems dates back to her time in school. “When I was a poor graduate student at the University of Georgia, I paid around $25 a month in overdue fees to the library so I could keep the AI books I checked out longer. (Once they were turned in, professors usually got them and could keep them up to a year.) There were only about 25 books on that topic at the time. Today, it is remarkable to see what our AI team can do with Athena.”

Why persistent cyber training matters

The cyber world is changing very fast. People need to learn constantly to keep up with their job requirements. Cyber challenges are not about cookie cutter solutions. It’s important that the cyber operator learns cyber problem solving, not just cyber solutions. By jumping into a training program and being able to craft different approaches to solving problems and test those approaches, the cyber professional can learn skills that directly help them do better on the job. Plus – a big plus – the training is fun!

Inside inCyt: The Benefits of Gamified Cybersecurity Learning (An Interview with Cassie Brubaker)

Here at Circadence, we are dedicated to taking cybersecurity learning to the next level. We do this through gamification that is accessible to all ages and ranges of knowledge on the subject. Our own Cassie Brubaker, co-creative director on our security awareness mobile app inCyt™, helped us understand the differences between learning and training, and how games can bring value to skill building in the technical world.

Why does cybersecurity really matter in today’s interconnected world?

C: When we don’t understand something, we don’t feel empowered. So, when I think about the importance of cybersecurity and cyber awareness, it’s more a story of empowering people to take back control of their lives. It’s a story about not being scared to live your day-to-day life because you understand [cyber] and you’re in control of it and I think that’s a wonderful thing.

I get that everybody needs to make their companies more secure, but I think it comes at a personal level too. If you feel in control over your personal life, you’re going to be a better contributor to your entire business, you’re going to be a better contributor to your family, you’re going to be a better contributor to yourself.

When we learn more about cybersecurity, we are empowered. Given your expertise with game development, what are the differences between learning versus training?

C: Games provide an inherently clever method to promote learning. There is a place for training, but in my mind, it’s a lot more formal. Learning has a broader application for me. It can happen in all kinds of different moments. You never know when you’re going to learn something new and that’s the magic of it. Training is more like, “let’s get this piece of information across in this specific way.” With our game inCyt, I’ve had so much fun trying to find all the different ways you can learn. You can play it again and again and it’s a little different every time. I can’t guarantee what lesson you’re going to learn when you play today and I don’t know what lesson you’re going to learn when you play tomorrow, BUT you’re going to learn something because you’re engaging with a well-designed product that has been crafted in such a way to give you all kinds of realistic experiences as it pertains to cybersecurity. 

Let’s talk briefly about inCyt and how it uses gamified learning.

C: inCyt is a mobile app that builds cybersecurity awareness. It is designed to educate everyone on fundamental cyber concepts and attack methods. It does this through two learning paths:  a concept learning component and gameplay component for individuals or teams.

The solution is taking the common perception of cybersecurity and flipping it on its head. Cybersecurity, as it exists today, does not conjure up feelings of peace and comfort the way you might expect from a field focused on security and safety. inCyt brings a radically different approach to the existing landscape – one that invites anyone and everyone to step out of the darkness and take their first step towards cyber enlightenment. One of the cool things about this product is that you’re learning organically about cybersecurity as you play, but you’re just having fun battling with your friends. The more and more you play, the more the cyber concepts start to sink in because you’re seeing them applied in real-world scenarios.

Who should play inCyt?

C: inCyt has been designed to reach all ages and experience levels. It’s ultimately designed for people who know very little about cybersecurity, but because we’ve built it to be playful and with a bit of strategy, even people who are cybersecurity professionals could play it and enjoy it. One of the things we found in testing within the company is that people who do this for a living will play it and say, “I think I could actually use this with my family, they don’t understand what I do.”

What is the ultimate value in a game like this?

C: The ultimate value of inCyt as a product for any company is that it is first and foremost fun for your employees to play. They are going to jump in and not going to feel like they’re being put through some mundane training exercise. There are two different ways that were teaching employees about cyber awareness. One of them is what I call “organic lessons” and that’s what happens primarily in the gameplay itself. We give players a bunch of cyber tools and allow them to experiment through gameplay and find what strategies work. In doing this, we’re creating employees that think one level bigger, more strategically about the “whys” and the “what’s” as opposed to a memorized list of rules that need to be followed. Nobody likes that. After learning the basic cyber concepts, players can compete in the gameplay portion of the app.

When working on inCyt, how did you address different learning styles?

C: In terms of different learning styles, that’s really where we’ve gone into playtesting as our method to lean against. Everybody wants something a little bit different when they play – some people want all of the answers up front, they want to know exactly how to use it and they want to know why they’re doing it, while some people want to experiment. Through those playtests, we’re able to make variations of the gameplay that hit the largest range of learning styles. It’s really from a human engagement level, less of a theoretical learning style level. That’s why the playtests have been so helpful for us.

For more information on the benefits of gamified learning, check out the below-recommended reading.

 

Recommended Reading:

The Importance of Gamification in Cybersecurity Training

Why Gamification is the Answer You’ve Been Looking For

Benefits of Gamified Learning