July 30, 2021
How can I get your attention? That's the question I have to answer every time I take on a new security topic and turn it into a cybersecurity awareness training module that everyone can understand. I'm a comedy writer. But the subject I write about is no laughing matter.
Training has become even more important since the start of the pandemic — according to our research at Mimecast, email threats rose by 64%, and employees are clicking on three times as many malicious emails as they had before. Yet, human error is still rampant. In fact, reports show end-user mistakes are responsible for 90% of all security breaches.
Given the state of things, it's not surprising that the industry perpetually debates whether cybersecurity awareness training works. I know it can. And it does. The problem is that too many companies go about it the wrong way.
Most people expect training to be drudgery. They struggle to stay awake long enough to answer questions on a topic they probably don't care about. But they should care because their decisions matter. And their mistakes can end up costing their companies a lot of time and money.
This is serious stuff. But the way we talk about it doesn't have to be. Remember, we're trying to engage with regular people. If we can deliver content that is funny and entertaining, they may actually pay attention. And if we can get them to pay attention, their behavior will change. The way they think about security will change. They'll start to look forward to their training and understand how they can help their companies defend against cyberattacks.
Tips for Training that Resonates
Never thought security awareness training could be fun and engaging? Well, I never thought I'd be writing it. Before writing, directing, and producing security awareness training videos for Mimecast Awareness Training, I had zero background in cybersecurity. My background is in television, and I've had the opportunity to work with people like Michael J. Fox, Dana Carvey, and Conan O'Brien. In other words, I'm not a security guy.
Five years ago, I didn't even know this job existed. So, I wasn't influenced by training styles that were already out there or anchored by language that talked at employees rather than to them. I have to learn about each topic, understand the key takeaway, and figure out how to discuss the subject in a way that regular people like me can understand. Then the trick is making the content funny and engaging, so viewers will remember it.
So, what does it take to create training that's easy to consume and more likely to be remembered? Here are a few things that come to mind.
Focus on Storytelling: Don't lead with the issue at hand or start with a lecture. Ease into the topic after you get your audience's attention. Develop a relatable scenario where the security dilemma seems plausible. Make your character struggle with the decision. And figure out the consequences when they make the wrong choice. In TV, we talk about developing the story arc. The same rules of storytelling apply to security awareness training.
Find Great Actors: Jokes on a page aren't enough. You need to find the right talent to bring the training to life. By creating an office ensemble where viewers see the same characters each month, you can eliminate the need for backstory, the same way you can watch episodes of your favorite TV shows without having to figure out who everyone is. Working with the same characters on a continuous basis makes finding great actors extremely important. We cast each role the same way we do it in TV. That includes casting calls, callbacks, and tough decisions. The result is an ensemble that works incredibly well together and brings scripts about cybersecurity to life on screen.
Prioritize Production Value: After you wrap on set, the real work begins. Editing, color correction, music, and sound design provide the polish that makes content stand out. This may be awareness training, but people will pay closer attention if it looks like television.
Make It Quick: Attention spans are limited. A three-minute runtime might seem arbitrary, but you have to get out before people start looking at the progress bar or glancing at their phones. Training that is short, sweet, to the point, and delivered regularly will be most effective and ultimately keep security top of mind.
Content that is relatable, interesting, funny, and insightful adds up to "easy to consume." Using these tips can help you transition from monotonous "do this, not that" content to powerful lessons that resonate and cybersecurity training that works.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
What Ransomware Groups Look for in Enterprise Victims
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Everything You Need to Know About DNS Attacks
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks