Awareness is a form of education. Becoming aware of security threats and solutions is synonymous with learning about those things.

The 70/20/10 Model

Researchers in the 1980s discovered that there are three kinds of learning: experiential, informal/social, and formal. Most companies spend most of their L&D budgets on the last kind, formal. But the researchers found out that most of our learning doesn’t come from formal education.

70% of what we learn comes from doing (experiential learning).

20% comes from social interactions and exposure (informal learning).

10% comes from training and reading (formal learning).

Why do we spend the most time and resources on the smallest percentage?

Formal vs. Informal

Think about formal learning like a bus (with a regulated schedule, driven by someone else at the speed limit, you’re just along for the ride) and informal learning like a bike (self-driven, at your own pace, whenever you need it, on your own schedule). Since every user has different learning needs, and there is no one-size-fits-all method of spreading awareness, informal learning allows you to employ different strategies to accommodate different user types. The same thing won’t work for everyone within your organization, so you must be flexible enough to give everyone what they need.

There is a myth that formal learning, such as elearning modules or instructor-led training, erases misconceptions. But the truth is that misconceptions are hard to erase, especially if they’ve been ingrained for a long time. One training session on proper passwords won’t erase years of bad habits. Misconceptions do not disappear because of the presentation of new, more accurate information. Misconceptions and bad habits persist.

So how do you correct misconceptions and instill good security habits? By doing three things: point out mistaken information and bad habits; show how and why these things are wrong; and present the correct information. Then you must do this more than once. Over and over again. It takes time to educate, instill new knowledge and make something a habit.

Informal learning can improve security awareness since it’s everywhere. It’s in everything we do. Asking colleagues where we can find the updated security policy; googling how to set up a personal VPN; watching a How To video about strong passwords. There are so many opportunities for informal learning in an average work day: meetings, group discussions, screensavers, blogs, on-demand resources on your intranet, mentoring programs, user-created content….

Next Steps

Your ultimate goal is not to build awareness materials but security aware employees. Users who will be aware and continue to increase their awareness and learn more over time. So think about what the biggest challenge is that’s currently preventing users from accessing and participating in awareness content. Is it lack of time? Lack of knowledge? Lack of motivation? Once you figure out what the challenge is, you can start developing a strategy for overcoming it.

What are your users doing now? What do they need/want to do? Where are opportunities to improve their awareness? Use education and your users’ needs to develop your strategy.
Finally, remember that memory is emotional. If you can drive emotion, you can drive knowledge and behavior change.

Ashley Schwartau

Director of Production & Creative Development at SAC
After more than 15 years of working in this industry, she’s finally accepted – and embraced! – the fact that she’s a security awareness expert. She is also a book-loving, travel-blogging, French-speaking Gryffindor who is unapologetically obsessed with her cats.