Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Enterprise ServicesSecurity Education & Training

A hundred-year-old secret is key to fighting cyberattacks

By Heather Stratford
gamify the cybersecurity training process
January 15, 2021

Every minute, three new phishing sites pop up on the internet, according to Wandera’s 2020 Mobile Threat Landscape Report. Due to the pandemic and working from home, phishing is resurging as a criminal’s go-to tool. In April 2020, Google blocked over 18 million phishing attempts each day for a week. That’s over 126 million phishing attempts in one week. And with almost all malware (94%) being delivered by email, making sure employees are cyberaware and well trained must be a top priority to chief information security officers (CISOs) and chief security officers (CSOs).

Rethink how employees are being trained

Traditional enterprise-wide training of cybersecurity consists of an annual lecture followed up by attempts at reminding employees throughout the year with posters, emails and newsletters — things that are often overlooked or ignored. Every so often, there will be a phishing test. The results are generally unsurprising and unsatisfactory. KnowBe4 reports that about 38% of untrained employees fail phishing tests.

Generally speaking when it comes to phishing, trained employees are doing well at not entering data into forms. They’re a little worse at clicking links (35% failure rate), but if there’s an attachment, rates skyrocket to 65%. This number increases to 90% when the email looks like it comes from a recognizable internal account or alias. 

When one considers these attachments are highly likely to contain malware, it’s no wonder the average employee is the greatest risk to an organization’s security. 

Why don’t current training models work?

Employees who are trained well, perform better than those untrained. But, as shown above, there are still significant failure rates when conditions change. Why is the training not working better?

Traditional training techniques rely on large mind dumps and infrequent, spotty reminders. This is not the best way to create change or growth. Training is only beneficial if it changes behavior. To change behavior, material has to be remembered and integrated into actions that become default behaviors. Old school annual training techniques can’t accomplish this. And we’ve known that for more than 135 years.

The science of training

In 1885, Hermann Ebbinghaus plotted his research findings about memory on a graph and created “the forgetting curve.” His research demonstrated that by having to frequently recall or revisit training, forgetting is reduced. Old school training doesn’t apply this knowledge, resulting in 50% of training being forgotten within an hour — making traditional practices expensive and unproductive.

Even in the 1970s, roughly a hundred years after Ebbinghaus’ first research, Johnstone and Percival reported that students only had 10-18 minutes of “optimal focus” before their attention faded, taking with it their ability to retain the information. And that was before the advent of smartphones which have further diminished our focus and attention spans.

What science shows is that people only have a limited window of 10 minutes or less where learning can happen. If training is done in small blocks of time, retention of material increases by 90%.

How can gamification help improve training?

It’s fun — and science also tells us that everyone learns better when they’re having fun.

The current training platforms and methods for the average employee are not fun, are not retained and do not create behavior change. Changing training to include gamification engages the employee with the material, which enhances learning and increases behavior change.

Training is not an hour lecture to be checked off, but small blocks of focus-filled instruction followed by consistent but playful review of the information. This interaction and continued exposure strengthens neural connections and patterns, reinforcing positive behaviors and new learning — while also creating comfort and confidence in new skills.

Why is it so much more effective?

Microlearning finally applies the science of learning and memory. It reshapes traditional long form training into bite-sized, shorter than attention-span units so learning can occur. Then, it revisits the information regularly to reinvigorate the memory and increase retention, which creates lasting skills and behavior change.

Microlearning and gamification are also more cost effective than traditional training methods. Long sessions of training are mostly forgotten within the hour. This costs organizations twice — the cost of the training itself and in lost time. Smaller training fits into schedules better, is a welcome ‘distraction’ between shifts in focus, and is more effective in learning, retention and cost. Training turns from a “have to” that sucks time to a “get to” which refreshes the mind and the security of the organization.

No matter where employees are, the internet is part of business today. Security leaders know that part of keeping organizations secure relies on the efficacy of employee training. Successful training is dependent on creating lasting change. Employees have to remember and execute their training on a regular basis. Science has been telling us how to make training (and security) better for over a hundred years. It’s time we start listening.

 

 

KEYWORDS: cyber cyber security cyber security awareness cybersecurity training enterprise risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Heather stratford

Heather Stratford is Stratford is the Founder of Drip7 and a thought-leader in the IT Training and Cybersecurity field. She keynotes at conferences, universities, and for enterprise clients. She writes on cybersecurity and has been featured and written for such global organizations as the 2018 G7 Summit held in Canada. Stratford regularly speaks about Cybersecurity, Women in Technology, Women and Diversity in Cybersecurity, creating a Cybersecurity Culture, Entrepreneurship, Privacy, and the shifting regulations and how to manage cybersecurity risks.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • security training freepik

    Outdated cybersecurity training erodes trust, hurts more than it helps

    See More
  • SEC1118-talk-Feat-slide1_900px

    Adaptation Is Key to Determining Network Resilience in Cyberattacks, Study Finds

    See More
  • keys-cyber-enews

    How to Topple a Fortune 500: The Key is in a Tiny Piece of Infrastructure

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing