Formal learning has long been the bedrock of school systems worldwide. We go to class. A teacher presents the information. We are then tested on that information. It’s a scheduled, systematic way of educating.
This is also the way most security awareness programs are designed. Users take a course or a learning module, they are tested on the information at the end of the module, you then present the results of those tests in a manner that essentially “checks the box” for security training.
The problem with that process is it sets users up for failure. Long-form education, especially when done only once or twice a year, cannot stand alone in our efforts to combat cybercrime. But if we supplement it with microlearning, we don’t just increase awareness, we also change user behavior—which is the ultimate goal.
We want to create a culture where reacting to potential threats becomes second nature. And where being proactive in our security efforts is a natural part of our everyday routine.
Microlearning is the most efficient way to achieve that goal.
What is Microlearning?
Microlearning is a method of education that delivers content in short, specific bursts. It can be offered in many convenient formats such as videos, articles or activities that present information in small chunks rather than long-form training courses.
It is not a replacement for formal learning, rather a supplement that gives users more control over their own learning. How and why is it effective? Let’s consider the following statistics, and then unpack how each one plays a role in security awareness training.
- Millennials are the fastest growing work population and will make up at least half of the workforce by 2020.
- The average attention span is 90 seconds.
- Big changes have a 70% failure rate.
- On average, employees have 1% of a typical work week to focus on training.
- Learners forget 79% of new information within days.
Fact 1: Millennials in the workforce.
According to Cisco, video will represent 82 percent of all internet traffic by 2020. What does this have to do with Millennials? It proves that A) they prefer video over other forms of learning/entertainment, and B) on-demand is king.
Regularly releasing short videos (such as the one the bottom of this page) as a part of your awareness training will reach Millennials a lot more effectively than infrequent classroom-style teaching led by instructors. Offering these videos in an on-demand library is especially useful, as it gives users the option to learn at their own pace, and gives them a place to go for answers when they need something.
Fact 2: The average attention span is 90 seconds.
What were we talking about?
Right. There’s plenty of debate over the attention span of humans, how it might be changing, and how we can fairly measure that change. Some reports have concluded that our attention span has fallen four seconds in the last 15 years and is now shorter than that of a goldfish. Certain publications have gone as far as to blame smartphones for this alleged declination of attention.
One thing is for certain: your users’ willingness to pay attention to cybersecurity training is quite low. So, presenting materials in short, engaging formats is not just the best way to reach them, it may be the only way to reach them. A learning module that takes 25 minutes may be required as a matter of compliance, but a three-minute video with chunks of information will allow your users to quickly absorb and better retain the information you want to teach them.
Fact 3: Big changes have a 70% failure rate.
Yes, policy is important. But sweeping changes to anything within your organization are generally met with resistance, and ultimately fail. Implementing a brand new security awareness program is an example of a sweeping change. You inform your employees that, from this point forward, part of their job is to learn “this stuff” and “don’t expect to be paid more for it.”
So instead of pushing them into long courses with quizzes right off the bat, try introducing your training program with short, focused content, in small bursts over a period of time. Think of it as an advertising campaign. Startups don’t introduce their product with an hour-long infomercial, but with 30-second TV spots, email blasts and eye-catching, colorful ads. Apply tested advertising concepts to your training program and use it throughout to drive engagement.
Fact 4: Only 1% of the workweek to learn.
Squeezing in cybersecurity training to any work day is a difficult challenge. The standard workweek contains 40 hours and includes everything from lunch breaks, meetings, regular breaks, and a variety of work-related commitments. This is where that “one percent” number comes from.
On average, modern learners have only one percent of their workweek to devote to training. That boils down to 24 minutes per week or 4.8 minutes per day. While we can’t suggest that your entire awareness program be crammed into such small windows, we do recommend that you design some of your content to fit into those small moments. Regular, frequent reinforcement of the big picture is the key to learning.
Fact 5: Learners forget 79 percent of new information within days.
Have you ever crammed the night before a big test? That may get you a passing grade but good luck recalling that information a few weeks later. If your users only take long, formal learning courses, chances are that the information you want them to retain will be quickly forgotten, and your organization will be no more safer than it was the day before.
Microlearning circumvents this failure by partitioning information into bite-sized chunks. Think of it as a PSA (public service announcement). PSAs contain vital information—the who, what, when, where, and why—in a format that is generally 60 seconds or shorter.
How to Maximize Microlearning
The key takeaway is this: less is more. The brain can process only about five pieces of information at one time—no more. Meanwhile, 75 percent of workers say they are already overwhelmed with work, training, rules, office drama, etc. So, formal learning needs all the help it can get in regards to awareness training.
Microlearning can be up to 300 percent faster than formal or instructor-led training or even robust elearning modules. And while it doesn’t replace the mandatory compliance training or the yearly security workshop, it provides a much-needed supplement that users can quickly consume and easily retain. With that in mind, here are five ways you can maximize microlearning within your security awareness program:
Pre-launch. If you’re in the planning phase of your program, advertise it! Make the launch a big deal and get everyone involved. You have one shot to get their attention, so go big!
Don’t rely on push. Instead, encourage pull. This goes back to having on-demand training materials that your employees can access at any time. Create a portal of quick-hitting resources that includes games, videos, and infographics.
Release sparingly but frequently. Spaced repetition is your friend. You don’t want to bog users down by constantly hitting them over the head with new content. So, space it out a bit and change of the format with each release – for example, maybe one week you release a video, the next week an article, and later in the month a game. Push out reminders that aren’t “mandatory” but instead “highly recommended.”
Use personalized learning. Give people the chance to test out of what they already know. Not everyone needs the same type of training. Especially with new hires that may have already gone through extensive awareness training at a previous job.
Production quality matters. This applies to all layers of your awareness program. If it’s boring, preachy, in black and white, with no humor or no games, it will fail. Millennials are especially sensitive to low-quality formats that seem outdated.
Latest posts by Justin Bonnema (see all)
- Incident Response: Time Is Not On Your Side - April 1, 2019
- 5 Traits of Security Aware Parents - March 14, 2019
- Bad Habits of Senior Managers That Put Security of Organizations at Risk - March 1, 2019