Security talks to Jann Yogman, who has written and produced comedy for Michael J. Fox, Dana Carvey and Conan O'Brien during his career. Yogman brought his comedy skills to Mimecast to help out with cybersecurity awareness training, structuring the program like seasons of a situation comedy, with actual comedic actors playing repeating characters.

Read on to learn how highly-engaging security awareness training can help solve human error — often the main cause of 95% of cybersecurity breaches.

Security: What is your background and current role? What are some of the responsibilities in your role?

Yogman: In high school, I was voted least likely to have a career in cybersecurity. Okay, that wasn’t an actual category, but my resume does look a lot different than most in our field. My background is in television. I worked with Conan O’Brien and Dana Carvey and then spent 10 years working with Michael J. Fox. Who knew my TV experience would eventually lead to an opportunity to write and direct short comedy videos about cybersecurity? Well, one guy knew.

A friend of mine from college approached me about developing security awareness training that would resonate with regular people. And since I was a regular person, who happened to know how to tell stories and make people laugh, we had an opportunity to create training that people would actually want to watch. This wasn’t about thinking outside the box. I never knew this box existed.

They say regular employees are the last line of defense when it comes to security. So if we want them to make better security choices, we need to show them why their decisions matter. The question is, how can we keep employees engaged instead of pushing them away? My job is to keep them tuned in.

Security: You brought your comedy skills to Mimecast and its awareness training platform module. Instead of creating standard "do this, not that" mandatory content, how did you structure the program?

Yogman: People are less likely to pay attention when you talk at them. Comedy allows us to talk to them. We also lean into the concept of microlearning. Rather than dumping a whole bunch of training on people at once, we believe it’s far more effective to deliver information in smaller, snack-sized portions. We deliver our training monthly, keep each training module under three minutes, grab people’s attention at the top and keep them engaged through the final frame.

Before I can write a training module, I need to make sure I understand the topic and key takeaways. Since I don’t come from a tech background, I’m able to write in a way that doesn’t scare people away. Our characters sound like regular people. They exist in a sitcom world that most people can relate to. And ultimately, they find themselves in situations that any employee might face.

Human error plays a role in 90% of all security breaches. That means mistakes have real consequences. Companies have a responsibility to train their employees to make better security decisions. And since the old way wasn’t working, we set out to do it differently. Security topics are heavy, but the way we talk about them doesn’t have to be.

Security: How can laughter help cure the ransomware crisis?

Yogman: Ransomware is obviously no laughing matter, but better awareness training and an informed workforce can help companies prevent an attack. Our process is simple. Watch. Laugh. Learn. Again, it comes down to engagement, and I would argue that watching three minutes of a workplace comedy has far more impact than clicking through a 30-slide deck.

Ransomware often tracks back to human error. Someone opens a suspicious email, clicks on a malicious link or downloads a bad attachment. We want employees to understand that risk and know what they can do to mitigate it. So many attacks can be avoided when people slow down and think before they click. Our steady stream of content is aimed to keep security top of mind, so when employees are faced with a decision, they’ll pause just long enough to ask the right questions, verify requests and potentially avoid costly mistakes.   

So does humor really work? Employees tell us they’re paying attention. They say they’ve changed their security habits in the office and at home. And even more telling, many of them ask when they’re getting the next episode. Awareness training that people actually want more of? Now that’s pretty funny.