Estimated Reading: 4 minutes
Electronic mail has come a long way over the last four decades. Believe it or not, there was a time when its sole purpose was to transmit messages from one inbox to another. Nowadays, email is a fully interactive form of media that plays host to marketers, newsletters, and spammers alike.
That might explain why it has survived all these years despite the massive rise in messaging apps like WhatsApp, Facebook Messenger, Hangouts, Allo, Line, WeChat, Slack, Skype… a list that could go on forever.
Many applications have come and gone, but email has proved to be resilient, even in a world where technology seems to turnover every month.
Which is why we recommend using it to market your security awareness program:
“Email gives you an opportunity to introduce a variety of training moments in a natural way, and if sent regularly operates as its own method of restating key awareness messages in new ways each time.”
Let’s build on that exact sentiment to demonstrate how email campaigns are imperative to a successful security awareness program.
Five Reasons Why Email Campaigns are Still Relevant
Reason No. 1: Ubiquity
Email addresses are like opinions; they’re free and we all have several of them.
The fact of the matter is this: not everyone warms up to the latest and greatest messaging apps. And while internal communications often go smoother with programs like Skype, your users still check their email multiple times a day on multiple devices. Additionally, 72% of people say they prefer receiving communication via email as opposed to other forms of marketing.
To summarize the obvious, everyone already uses email and has for a long time. It’s a built-in format that requires no additional explanation. There is no age gap. And best of all, there are no technical difficulties for end-users that sometimes accompany new tech.
It’s also economic. Since the infrastructure is already in place, company-wide email campaigns are inexpensive and customizable!
Reason No. 2: Metrics
One of the biggest hurdles training programs need to overcome is tracking success. How do we know if our users learn anything? The answer to that question is metrics.
Email campaigns simplify metrics by allowing us to log certain activity such as which users open a message and which links they click on. Of course, this doesn’t actually tell us if they learn anything, but it does track engagement, which is where learning starts.
Reason No. 3: Micro-Delivery
We firmly believe that microlearning is one of the most powerful methods of training. A short, entertaining video on phishing has more staying power than a 30-minute module or instructor-led course.
But it’s more than just chopping up long courses into small sections. It’s also about delivery. The container in which knowledge is imparted needs to be transparent yet engaging. If you have 25 videos that are all two minutes in length, simply sending your users to a web page and instructing them to watch them all misses the entire point.
Each awareness video (or infographic or newsletter or whatever) deserves its own container. And email is the perfect option. It allows you to easily customize a template that includes a short bit of text (no walls of text!), an action item or two, and content (the video) pertinent to the lesson you wish to teach.
Reason No. 4: Performance Support
Consider the following question posed by Conrad Gottfredson and Bob Mosher:
“To what degree is my organization addressing the entire journey performers make from the beginning stages of learning through the full range of challenges that can occur at the moment of application, when learners are called upon to actually perform?”
In short, are we doing enough to prepare our learners for real-life scenarios? To answer that question, they developed a learning model called the “Five Moments of Need”:
- When people are learning how to do something for the first time;
- When people are expanding the breadth and depth of what they have learned;
- When they need to act upon what they have learned, which includes planning what they will do, remembering what they may have forgotten, or adapting their performance to a unique situation;
- When problems arise, or things break or don’t work the way they were intended;
- When people need to learn a new way of doing something, which requires them to change skills that are deeply ingrained in their performance practices.
The first couple of steps are what a lot of organizations traditionally utilize as the basis of their formal training program. A “here’s some new stuff you need to know about and here’s more stuff about that stuff” approach. But it’s the other three steps that we should focus on. Performance support gives users access to information at the time when it is most crucial that they have it. Even better, it’s built right into their workflow. Support your users’ work performance by giving them the resources to find the information they need WHEN they need it. Just-in-time knowledge, not just-in-case.
Case in point: company-sponsored phishing campaigns. By phishing your employees with on-the-spot remediation, you build learning into their workflow and place knowledge at their fingertips. Instructor-led seminars and classroom style workshops have their benefits, to be sure, but your employees’ workspace is (for most) a computer, keyboard, and a mouse. Why would you not focus your training where the work is done and the threats exist? Phishing emails, by the way, are still one of the top threats organizations of all shapes and sizes face.
Reason No. 5: Continuous Learning
So, you bought a bunch of security awareness content and materials. Now what? Do you just set up a learning management system and instruct your users to finish everything by a certain date? Or do you develop a systematic, structured way of distributing information, thereby empowering your employees?
The latter, obviously, is where we side. Continuous learning supplements initial training efforts, such as onboarding or compliance modules, by providing employees with a balanced cycle of information.
The ultimate goal of all of this is to replace training with learning. Training is what we think we need, but learning is what matters. Email campaigns help achieve that goal by developing a cycle of continuity—a reliable format that employees trust and understand. Weekly or biweekly or even just monthly repetition of information tailored to what your employees need all but guarantees a successful training program.
The bottom line is that security awareness training is no different than any other type of training. How we package knowledge has a direct correlation to how well that knowledge is received. Email campaigns are a great option because they’re transparent, reliable, inexpensive, and focus entirely on content.
Latest posts by Justin Bonnema (see all)
- Incident Response: Time Is Not On Your Side - April 1, 2019
- 5 Traits of Security Aware Parents - March 14, 2019
- Bad Habits of Senior Managers That Put Security of Organizations at Risk - March 1, 2019