Every minute, three new phishing sites pop up on the internet, according to Wandera’s 2020 Mobile Threat Landscape Report. Due to the pandemic and working from home, phishing is resurging as a criminal’s go-to tool. In April 2020, Google blocked over 18 million phishing attempts each day for a week. That’s over 126 million phishing attempts in one week. And with almost all malware (94%) being delivered by email, making sure employees are cyberaware and well trained must be a top priority to chief information security officers (CISOs) and chief security officers (CSOs).
Rethink how employees are being trained
Traditional enterprise-wide training of cybersecurity consists of an annual lecture followed up by attempts at reminding employees throughout the year with posters, emails and newsletters — things that are often overlooked or ignored. Every so often, there will be a phishing test. The results are generally unsurprising and unsatisfactory. KnowBe4 reports that about 38% of untrained employees fail phishing tests.
Generally speaking when it comes to phishing, trained employees are doing well at not entering data into forms. They’re a little worse at clicking links (35% failure rate), but if there’s an attachment, rates skyrocket to 65%. This number increases to 90% when the email looks like it comes from a recognizable internal account or alias.
When one considers these attachments are highly likely to contain malware, it’s no wonder the average employee is the greatest risk to an organization’s security.
Why don’t current training models work?
Employees who are trained well, perform better than those untrained. But, as shown above, there are still significant failure rates when conditions change. Why is the training not working better?
Traditional training techniques rely on large mind dumps and infrequent, spotty reminders. This is not the best way to create change or growth. Training is only beneficial if it changes behavior. To change behavior, material has to be remembered and integrated into actions that become default behaviors. Old school annual training techniques can’t accomplish this. And we’ve known that for more than 135 years.
The science of training
In 1885, Hermann Ebbinghaus plotted his research findings about memory on a graph and created “the forgetting curve.” His research demonstrated that by having to frequently recall or revisit training, forgetting is reduced. Old school training doesn’t apply this knowledge, resulting in 50% of training being forgotten within an hour — making traditional practices expensive and unproductive.
Even in the 1970s, roughly a hundred years after Ebbinghaus’ first research, Johnstone and Percival reported that students only had 10-18 minutes of “optimal focus” before their attention faded, taking with it their ability to retain the information. And that was before the advent of smartphones which have further diminished our focus and attention spans.
What science shows is that people only have a limited window of 10 minutes or less where learning can happen. If training is done in small blocks of time, retention of material increases by 90%.
How can gamification help improve training?
It’s fun — and science also tells us that everyone learns better when they’re having fun.
The current training platforms and methods for the average employee are not fun, are not retained and do not create behavior change. Changing training to include gamification engages the employee with the material, which enhances learning and increases behavior change.
Training is not an hour lecture to be checked off, but small blocks of focus-filled instruction followed by consistent but playful review of the information. This interaction and continued exposure strengthens neural connections and patterns, reinforcing positive behaviors and new learning — while also creating comfort and confidence in new skills.
Why is it so much more effective?
Microlearning finally applies the science of learning and memory. It reshapes traditional long form training into bite-sized, shorter than attention-span units so learning can occur. Then, it revisits the information regularly to reinvigorate the memory and increase retention, which creates lasting skills and behavior change.
Microlearning and gamification are also more cost effective than traditional training methods. Long sessions of training are mostly forgotten within the hour. This costs organizations twice — the cost of the training itself and in lost time. Smaller training fits into schedules better, is a welcome ‘distraction’ between shifts in focus, and is more effective in learning, retention and cost. Training turns from a “have to” that sucks time to a “get to” which refreshes the mind and the security of the organization.
No matter where employees are, the internet is part of business today. Security leaders know that part of keeping organizations secure relies on the efficacy of employee training. Successful training is dependent on creating lasting change. Employees have to remember and execute their training on a regular basis. Science has been telling us how to make training (and security) better for over a hundred years. It’s time we start listening.