There are many scientific benefits to some non-traditional training techniques such as reduction of cognitive load leaving learners feeling more engaged and increasing the levels of information retention
Much has been made about the cybersecurity skills gap, and for good reason. There is a scarcity of cybersecurity professionals worldwide, which makes networks and those who depend on them—which is almost everyone—less safe. This is compounded by the fact that humans continue to be the weakest link in an organization’s cybersecurity posture. There is an insufficient number of professionals to keep networks secure, and there is a general lack of cybersecurity awareness by employees making basic mistakes that create greater cyber risk.
Clearly, employees need consistent, high-quality training on basic cybersecurity and cyber-awareness. One barrier, though, is that in today’s machine-speed business environment, it is difficult to break away from daily tasks to take part in traditional live or online training initiatives that require long blocks of time. Organizations need a new training paradigm that delivers appropriate content without disrupting business.
The Benefits of Non-Traditional Training
The traditional view of training is of people sitting in a classroom for several hours or days with an instructor or facilitator at the front of the room. Or of sitting in front of a computer working through many modules of a self-pace training course. While these methods of training can be quite effective, the field of training and education has evolved considerably over the last several years.
There are many forms of less traditional training methods that have proven to be very effective and can address challenges CISOs are facing in building a truly cyber aware workforce. Implementing many of these non-traditional techniques means that employees are away from their workplace far less (in some cases not at all) and transforms the learning experience from an isolated event where the learner “consumes training content” to a culture of continuous learning where employees are “active participants” in a more informal, social, interest-driven learning process.
There are many scientific benefits to some non-traditional training techniques such as reduction of cognitive load leaving learners feeling more engaged and increasing the levels of information retention. The scientific benefits are beyond the scope of this post, but there is no shortage of scientific data available to anyone online. Examples of non-traditional training techniques include:
- Job Aids: As stated above, training doesn’t always need to be employees sitting in a classroom. There are many times when employees need to perform tasks that are exceptions to their day-to-day routine and that can be quite complicated and unfamiliar. Often these tasks can be learned far more effectively through the use of job aids. A good example of this is when an employee receives an email that could be malicious. Rather than wading through a large training manual or trying to remember the specific characteristics of malicious emails that were discussed in a previous class, an employee can reach for a job aid. This type of job aid could be as simple as a two-sided laminated sheet with one side describing the characteristics of various malicious emails and the other side with simple flow charts of what to do. This is essentially ‘Just-in-Time’ learning that will soon become second nature to the employee.
- Microlearning: Microlearning is a general concept of providing relatively small chunks of learning to participants where and when it is appropriate. Microlearning content can be delivered in a variety of ways ranging from modern learning management systems (LMS) that push microlearning content to users. Or it can be through less formal means such as quizzes integrated into regular news letters or informal activities. Microlearning is an ongoing trend that meets the particular needs of today’s fast-moving organizations and their employees. While it is a general concept that applies to a number of techniques, Microlearning is best suited for skills-based learning which is quite applicable to cybersecurity skills and awareness. With the landscape changing so often, microlearning can be delivered regularly to reinforce security topics and required skills, increasing the odds of retention and compliance.
- Gamification: Gamification is a technique using elements comprised of video game design in learning environments. The goal of gamification is to engage learners through familiar fun activities and in some cases create a competitive and or social environment. By gaining points, elevating their status level, getting to the top of a leaderboard or one of many other gaming techniques, users are inspired to continue learning. Gamification of learning can be implemented in a number of ways and to a number of degrees. It can be as simple as awarding points as people participate in ongoing microlearning activities, or more complex live in-person “capture-the-flag” competitions. From a cybersecurity awareness perspective, gamification of learning could be implemented in conjunction with MIS teams sending out simulated phishing attacks and awarding points to employees who avoid the attacks and can identify various characteristics. The Fortinet XPerts Academy event in Latin America is a good example of gamification being used in a much more extensive manner to create excitement and engagement before a training event even starts. Take a look at the challenge video sent to registered participants.
- Digital Badging: Digital badges are defined as “a validated symbol or indicator of an accomplishment, skill, quality or interest”. While not a training technique itself, digital badging can be a great tool to motivate behavior and engage learners by recognizing achievement. Digital badging can also be used as a mechanism to communicate a person’s status or membership within a community. In fact, digital badging is quickly becoming an alternative to traditional technical certification designations that often require significant time and financial investment by individuals. In 2011 the whitepaper “An Open Badge System Framework” by Peer 2 Peer University and The Mozilla Foundation became the catalyst for what has become an effective network of open digital badging systems that allow individuals to share their badges broadly across the internet with peers, credentialing bodies, potential employers and others. This can be a great enabler for CISOs and HR departments wanting to assess skills and knowledge of potential new hires into an organization. It can also be a great tool for internal compliance teams to easily measure and report on critical cybersecurity awareness of the general employee population.
- Awareness Campaigns: While not as technological as gamification or digital badging, an often overlooked method of training is leveraging existing awareness campaigns. These campaigns can be focused specifically on a training initiative such as cybersecurity awareness, or could be larger campaigns that are well aligned with your learning objectives – such as Cybersecurity Awareness Month. They can be internal campaigns or external campaigns that typically provide a significant number of resources and support. The Association for Talent Development for example promotes an Employee Learning Week each year, citing a growing skills gap and the need to remain competitive in today’s global economy. An industry awareness campaign like this can be a great vehicle to launch or expand a cybersecurity awareness campaign.
Cybersecurity remains a primary concern for all organizations, and cybersecurity awareness training needs to be part of any successful strategy to keep networks and data safe. The BYOD, work-anywhere culture increases risk, but it also provides greater opportunity to train employees on good cybersecurity practices using a variety of non-traditional training techniques. By evolving your organization’s training strategy to include a variety of non-traditional techniques for your cybersecurity needs, you have the potential to do more than build a Cyber-Aware Workforce, you have the potential to change the overall learning culture of your organization and become a true Learning Organization.
The author is Regional Vice President - India & SAARC, Fortinet