#RSAC: Characterless Security Training Fails to Change User Behavior

Written by

Security awareness training is increasingly “surrounded by characterless instruction,” which is preventing meaningful behavior change in end users.

With this in mind the National Cybersecurity Alliance (NCA) is exploring humor as a tool to make training more effective.  

Security teams still tend to design training sessions focused on content, forgetting that the recipients are human beings, Lisa Plaggemier, executive director, National Cybersecurity Alliance (NCA), said during a presentation on day two of the RSA Conference.

You must engender emotion in the subject to engage effectively, she added.

Plaggemeier and her co-speaker, Jenny Brinkley, director of Amazon Security, emphasized that for awareness training to be effective and memorable, using humor and including elements that are unexpected are key.

They also highlighted the United Airlines safety video for airline passengers as an effective training campaign which used these approaches.

With this in mind, the NCA is planning to shortly release a cyber awareness training comedy series, that imparts lessons using humor to the audience.

Plaggemeier and Brinkley set out four actionable steps for security teams to improve their awareness training sessions:

  1. Brainstorm with staff throughout the company to understand their preferences
  2. Take inspiration from sources outside the organization
  3. Be relatable to the experiences of employees in the business
  4. Start small – for example, use freelance graphic designers
  5. Be prepared for users to dislike the training – but don’t discard your work because of it

The Amazon Approach

Speaking to Infosecurity, Brinkley also emphasized the importance of inclusivity and representation in awareness training content. This is particularly pertinent for her role at Amazon, a global organization with employees operating within many countries and cultures.

Areas to consider include ensuring different languages are used and that all types of accessibility needs are met.

In terms of the content, there should be “different scenarios that relate to a global audience.” This should also account for cultural differences.

“In some countries, when an incident happens, there’s a lot of fear about reporting something – so how can you ensure that there’s not any kind of retaliation culture,” Brinkley said.

Brinkley added that the growth of AI and machine learning technologies is a major focus of Amazon’s awareness training – an area that is particularly relevant given the rise of ChatGPT.

“Our core fundamentals have always been investing in these spaces but providing guardrails and recommendations to our builders on how to use this technology safely while not stifling innovation,” she added.

Another important aspect of awareness training at Amazon is security behavioral considerations for being in the physical workplace, following the tech giant’s announcement that it will be requiring its staff to return to the office for at least three days a week effective from May 1.

Brinkley said that with many workers having not returned to the office since the start of the COVID-19 pandemic, reminders are needed around secure behaviors in a public environment.

“I think we got a little more relaxed during the pandemic,” she noted.

Reminders to give staff include not leaving laptops without a privacy screen when away from the desk, and the correct use of badges to enter physical office spaces.

What’s hot on Infosecurity Magazine?