The Power of Comedy for Cybersecurity Awareness Training

Cybersecurity is serious stuff, but the way we talk about it shouldn't be if we want people to pay attention and remember what they're taught.

Jann Yogman, Entertainment industry veteran and writer of Mimecast Awareness Training

July 30, 2021

4 Min Read
Joke glasses with mustache
Victor Moussa via Adobe Stock

How can I get your attention? That's the question I have to answer every time I take on a new security topic and turn it into a cybersecurity awareness training module that everyone can understand. I'm a comedy writer. But the subject I write about is no laughing matter.

Training has become even more important since the start of the pandemic — according to our research at Mimecast, email threats rose by 64%, and employees are clicking on three times as many malicious emails as they had before. Yet, human error is still rampant. In fact, reports show end-user mistakes are responsible for 90% of all security breaches.

Given the state of things, it's not surprising that the industry perpetually debates whether cybersecurity awareness training works. I know it can. And it does. The problem is that too many companies go about it the wrong way.

Most people expect training to be drudgery. They struggle to stay awake long enough to answer questions on a topic they probably don't care about. But they should care because their decisions matter. And their mistakes can end up costing their companies a lot of time and money.

This is serious stuff. But the way we talk about it doesn't have to be. Remember, we're trying to engage with regular people. If we can deliver content that is funny and entertaining, they may actually pay attention. And if we can get them to pay attention, their behavior will change. The way they think about security will change. They'll start to look forward to their training and understand how they can help their companies defend against cyberattacks.

Tips for Training that Resonates
Never thought security awareness training could be fun and engaging? Well, I never thought I'd be writing it. Before writing, directing, and producing security awareness training videos for Mimecast Awareness Training, I had zero background in cybersecurity. My background is in television, and I've had the opportunity to work with people like Michael J. Fox, Dana Carvey, and Conan O'Brien. In other words, I'm not a security guy.

Five years ago, I didn't even know this job existed. So, I wasn't influenced by training styles that were already out there or anchored by language that talked at employees rather than to them. I have to learn about each topic, understand the key takeaway, and figure out how to discuss the subject in a way that regular people like me can understand. Then the trick is making the content funny and engaging, so viewers will remember it.

So, what does it take to create training that's easy to consume and more likely to be remembered? Here are a few things that come to mind.

  1. Focus on Storytelling: Don't lead with the issue at hand or start with a lecture. Ease into the topic after you get your audience's attention. Develop a relatable scenario where the security dilemma seems plausible. Make your character struggle with the decision. And figure out the consequences when they make the wrong choice. In TV, we talk about developing the story arc. The same rules of storytelling apply to security awareness training.

  2. Find Great Actors: Jokes on a page aren't enough. You need to find the right talent to bring the training to life. By creating an office ensemble where viewers see the same characters each month, you can eliminate the need for backstory, the same way you can watch episodes of your favorite TV shows without having to figure out who everyone is. Working with the same characters on a continuous basis makes finding great actors extremely important. We cast each role the same way we do it in TV. That includes casting calls, callbacks, and tough decisions. The result is an ensemble that works incredibly well together and brings scripts about cybersecurity to life on screen.

  3. Prioritize Production Value: After you wrap on set, the real work begins. Editing, color correction, music, and sound design provide the polish that makes content stand out. This may be awareness training, but people will pay closer attention if it looks like television.

  4. Make It Quick: Attention spans are limited. A three-minute runtime might seem arbitrary, but you have to get out before people start looking at the progress bar or glancing at their phones. Training that is short, sweet, to the point, and delivered regularly will be most effective and ultimately keep security top of mind.

Content that is relatable, interesting, funny, and insightful adds up to "easy to consume." Using these tips can help you transition from monotonous "do this, not that" content to powerful lessons that resonate and cybersecurity training that works.

About the Author(s)

Jann Yogman

Entertainment industry veteran and writer of Mimecast Awareness Training

Jann Yogman is a writer and producer who leverages his experience in entertainment to create funny and impactful videos about cybersecurity. He's a senior director at Mimecast and a father of two girls, who make occasional appearances in his videos and frequent appearances during his Zoom meetings.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights