The Ultimate Checklist for Choosing the Right Cybersecurity Awareness Training Solution.

Security Awareness
24 June 2024
Choosing the Right Cybersecurity Awareness Training Solution

Choosing the right cybersecurity awareness training solution.

As employees continue to embrace a hybrid work reality, and attackers begin to leverage AI to launch ever more sophisticated scams, choosing a cybersecurity awareness training solution is no longer a decision you can afford to ignore.

Let’s make sure you make the right choice!

Training media designed to change behavior

E-learning has become a common practice in businesses, where digital platforms and media are used to develop various skills and competencies. However, some companies focus more on the consumption and completion of training materials rather than on the actual impact of the training. While monitoring viewing rates and questionnaire performance are important, the ultimate goal should be to see observable changes in the behavior of the targeted audience. Effective training should utilize media designed to maximize understanding and deep assimilation by incorporating cognitive, inductive, and experiential learning methods.

Managing attention span 

One of the fundamental principles of andragogy (the adult version of pedagogy) is carefully managing attention spans. Adult learners often have short attention spans, frequently expressing this as being too busy. Therefore, it is crucial to use this valuable resource wisely by:

  • Limiting the duration of media content to a maximum of 6 to 7 minutes.
  • Releasing new content at an appropriate pace (e.g., one topic per month).
  • Allowing users to stop and resume later from the same position.

The “it could happen to me” emotional trigger 

Using engaging training content is a simple way to capture the learner’s attention.
However, this approach can backfire by creating a disconnection from reality and causing the narrative to be seen as fictional or irrelevant. Cartoons are a great example of this phenomenon, often used by providers for cost-effectiveness.
A more effective approach is to combine content that explains concepts and dynamics with content that presents believable stories featuring emotional “hooks” that encourage self-identification. For example, explaining mobile device management practices can help prevent the mixing of personal and professional uses of the same device. Pairing this with real-life stories where this mixing leads to serious consequences can better achieve awareness objectives.

System 1 

The terms “System 1” and “System 2” were coined by psychologist Daniel Kahneman in his book Thinking, Fast and Slow.
He describes two distinct modes of thinking: “System 1” is fast, instinctive, and emotional, while “System 2” is slower, more deliberative, and logical.
For example, a chess master rapidly playing multiple games simultaneously or a jazz musician improvising on stage primarily relies on System 1 thinking.
In cybersecurity, ideally, processing incoming digital solicitations should engage System 1 as a filtering mechanism to detect malicious content. Users should develop automatic reactions to recognize and respond to dangerous situations. Effective awareness programs aim to cultivate this behavior through persistence and reinforcing feedback.

Regular long-term routine 

Cybersecurity awareness programs are often treated as a one-time event that employees simply have to complete and sign off on, similar to workplace anti-harassment training. While this approach meets compliance requirements, it often doesn’t produce satisfactory results, especially when assessed through activities like phishing tests.
For cybersecurity hygiene to be truly effective, it needs to be an ongoing and visible concern in the workplace. It’s important to avoid repetitive content that can lead to cognitive overload and disengagement. Instead, employees should regularly encounter fresh, interesting material that not only reinforces their existing skills but also educates them about new threats and defensive strategies.

Incentive not coercion

Some CIOs, CISOs, and HR managers provide employees with a “contract” outlining their obligation to comply with proper behavior, along with implied consequences for non-compliance.
This approach can create tension, as employees may view it as a trap that sets them up as the “person to blame” in the event of a successful cyber-attack.
This perception might trigger defensive instincts aimed more at avoiding termination than preventing cyber threats. Instead, awareness programs should be designed and presented as a service to the individual, enhancing their ability to avoid being scammed both professionally and personally.

Engagement proxies 

Improving cyber security awareness training often relies on increasing engagement levels, which can be quite challenging.
It’s frequently observed that only around 20 to 25 percent of users consistently participate in e-learning initiatives. While improving the quality of training materials can help, dividing the user base into smaller teams coached by team leaders and involving them in group activities can provide an additional incentive for participation.
Equipping team leaders with user-friendly engagement practices, tools, and monitoring capabilities is crucial for sustaining involvement in the program.

Reward 

The mutual encouragement and support within the group promotes emulation and sets off a chain reaction. Acknowledging and rewarding both team and individual performance creates a level of motivation that surpasses the entertainment achieved through gamification.
It is crucial to adhere to clear rules and for the platform’s user interface to provide tracking mechanisms for progress and ranking.

It’s a positive sign when these rules and mechanisms are challenged and closely examined by the “losing” parties!


At Cyber Guru, we make it our business to know security awareness training solutions like the backs of our hands, and there’s no more comprehensive or practical choice on the market than Cyber Guru!

Cyber Guru offers a comprehensive training platform designed to maximise the effectiveness of learning processes and consolidate the awareness needed to deal with the ever-evolving attack techniques used by cybercrime over time.

Best of all, it has been proven to dramatically change employee behavior towards cyberattacks. 

The truth is in the data. Our customer went from an initial percentage of Serial Clickers close to 50 percent to less than 5 percent, and in the following months this continued to decline, traveling on an average of 1-2%.

Ready to see how it works for yourself? Schedule a free demo and consultation 

ISCRIVITI ALLA NEWSLETTER

Articoli correlati

I’ve been swindled, now what do I do?

I’ve been swindled, now what do I do?

Steps to take in case you fall victim to online scams. "I've been swindled," is the phrase none of us would ever want to think of uttering. Yet we know that the risk of falling victim to online scams is becoming higher and higher, and that this is something that, as...

read more
Digital Operational Resilience Act (DORA)

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and...

read more