Tell me and I forget. Teach me and I remember. Involve me and I learn. – Benjamin Franklin

At its core, security awareness is an education issue. The very idea of becoming aware of something means becoming educated about. If you want to make your users aware, you want to educate them.

But many organizations struggle finding money, time, and support to properly educate their users. Through our many years of helping organizations of all sizes create, launch and manage security awareness programs, we’ve found a recurring trait missing from the organizations who struggle the most.

A Story

Let us tell you a story about Client X. Obviously, we can’t tell you the client’s actual name but what happened to Client X is something we’ve seen time and again with other clients, and is something that we feel other organizations can learn from.

Client X spent a LOT of money on an in-depth security awareness training program. The team in charge of developing it created and licensed dozens of elearning courses, bought dozens of videos, purchased a top-of-its-class LMS… They really put a lot of resources into the content of this program. It could have been fantastic.

When Client X launched the program — or rather “released” it, since they didn’t so much launch it as we would have recommended — they were met with a lot of resistance. Days after the program was made public, they were disappointed that hardly anyone was checking out the materials they’d spent so much time and money to create. Days turned to weeks, weeks into months, people’s resistance grew and when the budget was reviewed for the next year, their funding got cut;  the executives didn’t see any gain from the pain of building the program in the first place. It fizzled, no one took the training, and later during that second year they suffered a massive data breach.

What went wrong?

In the case of Client X, many many things from not pre-advertising the program to drum up excitement, to not properly launching it, but we’re actually going to examine something much more foundational: at the core, the company did not have a LEARNING CULTURE.

We can spend all the money in the world to build the biggest, baddest technological systems and the coolest training content ever. But if your organization does not support and encourage a Learning Culture, then none of that matters.

We must align what we DO with how we THINK, WORK and LEARN, and the only way to do that is through our culture.

What do we mean by culture?

Culture can be broken down to mean various things in different contexts. For our purposes, we’re going to examine the most basic aspects: attitude, socially-taught values, and behavior.

Attitude determines HOW things are done. Values are WHY things are done. And behavior is WHAT things are done.

Why do we care about culture?

Your organization can have the best business strategy ever, developed by Harvard grads and funded by deep corporate pockets. But at the end of the day, culture eats strategy for breakfast. If your culture does not support your business objectives, does not encourage employees to grow and learn, does not reward innovation, then your strategy does not matter.

The same is true for security. You can spend all the money in the world on the most awesome firewall and most advanced vulnerability detecting, but if your users aren’t educated — or don’t care! — about secure behavior, then it doesn’t matter. The desire to be secure must be a part of your company culture, and the only way to get people to care about security is to educate them.

What is keeping us from developing a learning culture?

Deep down people want to learn and deep down they want to be secure. But we must counter existing attitudes. We must counter laziness, fear, uncertainty. We must counter a resistance to change.

People don’t want to be bothered with inefficiency, and security is inherently inefficient — security controls slow us down, get in our way, keep us from getting our work done fast. Taking time to learn new things is also inefficient. People want to get their work done and go home, they don’t want to spend time learning for the sake of learning if it’s not an expected or encouraged part of your work culture. People also want instant gratification; what will they get right that second for completing a training course or taking time to read a policy update?

We not only have to counter the ingrained attitudes of our employees, but of executives and management. They are even busier (or at least perceive themselves to be) and do not want to be slowed down by a boring training course or rules they think they might be above. Executives tend to want something easier than everyone else so they avoid security.

How Informal Learning Can Help

As we know from looking at the 70/20/10 model, we only get 10% of our knowledge from formal learning, including elearning modules and instructor-led training. 70% comes from experiential learning and 20% comes from informal learning. These two can overlap, though, as much informal learning may include experiential learning, or learning by doing.

What if every moment were a learning opportunity? Informal learning can be the key to helping you create a culture of learning within your organization, and ultimately make your workplace more security aware. Informal learning can increase awareness and exists everywhere, you just have to look: asking for help, talking to coworkers, user-created content, mentoring programs, social networks, blogs, podcasts, on-demand resources in an LMS, elearning modules, monthly newsletters, meetings, group discussions, screensavers…

You can use informal learning opportunities to instill important security information and encourage new, good habits. The more often users encounter information, the easier it will be to ingest.

What makes an effective learning culture?

  • Knowledge is explicit and readily available to users. They don’t have to work hard to find information they need when they want/need it.
  • Budgeting is available for learning activities and resources. Management understands the importance of educating users and sets aside the necessary finances and resources to do so.
  • There needs to be psychological safety. Your workplace needs to be a safe space to ask questions, to discuss ideas freely without fear of reprimand or bullying. Anonymity is available to users to criticize or give feedback to management and to ask questions.
  • Cross-culturally aware content.
  • Learning needs to be valued by higher ups.
  • A push and pull of information.
  • A desire to be better.
  • Lack of complacency.
  • Willing to live with uncertainty.
  • Tolerance of failure.

How do you create an effective learning culture?

Get buy-in from management and C-levels to get the resources you need to do a proper assessment. In order to get buy-in, you’ll need to sell a vision to your executives. Paint them a picture of a more secure, more aware and more productive workplace.

Take a baseline. What are you doing right now to educate your users? What topics are they most aware about? Least aware? Where are the gaps in their knowledge? Figure out where your users are in terms of awareness and behavior in order to develop a strategy.

Use moments of change to your advantage. It can be tough to institute change if people don’t see a need for it: you might not be able to sell life jackets until the ship is actually sinking, so ride waves of change whenever you can. This might be harder work (especially if another process is broken in the process) but sometimes this is your only option. If you can, try implementing new ideas when things are going well; when life at work is hunky dory, there is more bandwidth to spare so people can pay more attention.

Remember that big changes tend to have a 70% failure rate. People fall back into old habits and/or forget over time. Think about being a kid cramming for that math test: you spend a lot of time and energy the night before learning all the formulas, and two weeks later, you couldn’t remember a thing. By breaking up the implementation of a new program into smaller changes, you’ll be more effective. It won’t be such a shock to the system for folks, so they won’t be as resistant up front. And you can make changes along the way, experimenting with techniques and content. If you find something doesn’t work, you can change it because you didn’t spend months and months and tons of money making a huge change.

 

Implementing Change

Learning is the best investment a company can make as things, especially technology, develop so fast. Learning is the way to keep up with changes. A learning culture is a better environment to work in. People are more educated and aware; they know the organization cares about them, their families, and their security; they understand more about their roles and responsibilities. Ultimately, by educating your users, you will get more output from them.

Buy a man a fish, he eats for a day. Teach a man to fish, he eats for a lifetime. So will you continue to buy the fish for your employees? Or empower them to catch the fish themselves?

Ashley Schwartau

Director of Production & Creative Development at SAC
After more than 15 years of working in this industry, she’s finally accepted – and embraced! – the fact that she’s a security awareness expert. She is also a book-loving, travel-blogging, French-speaking Gryffindor who is unapologetically obsessed with her cats.