1. Keep it Simple
Most users don’t need to become experts or even need much technical know-how in order to be security aware employees, so don’t try to overload them with technical jargon, complex diagrams or lots of intimidating cyberspeak. Keep things simple by teaching the basics in easy-to-understand language. For example, not everyone understands what ‘social engineering’ is but everyone understands what a con artist is. So teach about the dangers of social engineers by making real world comparisons to con artists and scammers to drive the point home.
2. Make it Engaging
Would you want to just sit and watch a 45 minute power point presentation? No! Nobody wants that. Think about what kind of training would keep you engaged and listening and create the same thing for your users. Videos, fun graphics, simple diagrams, and interactive learning games are great ways to make your training program effective. Also, keep things short. It’s better to have several ten minute training modules over the course of a few months than one over-long, boring, tedious training session once a quarter. Remember that your users’ time is valuable and that they want to be entertained just as much as you do.
3. Make it Personal
Remember sitting in biology class and thinking “none of this relates to me, so why should I care?” but then the minute the teacher shows how looking at genes you can figure out which parent gave you your green eyes and the likelihood of inheriting your dad’s male-pattern baldness? It’s the same with security! Bring the message home, relate it back to their personal lives and families and users will remember more of the message and put more into practice than if you just talk about everything from a high-level corporate point of view. For example, talking about data breaches in terms of the money your company could lose is fine but the message will hit your users harder if you talk about how many people suffer identity theft after a data breach, how much money individual families can lose after having their identities stolen, and how their children can even become victims before they turn the age of 18.
4. Rinse & Repeat
Security Awareness is like advertising. In order for the message to stick and for the user to take action, it’s got to be in front of them multiple times during a year. Once a year training is not enough. Quarterly training is okay but monthly and/or weekly reinforcement is even better. Treat your SA program like a marketing campaign using monthly newsletters, screensavers, posters, weekly email tips, videos, quizzing and learning games to engage and educate your user population. The more the see the message, the longer it will stay in the forefront of their minds and the better their behavior will be.