"I've been involved with security awareness training for several years now, and I can't remember one single compliment on any of our previous courses," sighed Alex Yokley, Director of Corporate Information Security at Western Union.
Sound familiar? Probably so, as too many people involved in training employees on information security are singing the same song. And who can blame the bored employees? The fact is most compliance training programs are incredibly dull. User surveys consistently report that the only reason people take the courses is because they have to.
It turns out that employees taking required courses are just checking a box—just like the many information security people who administer the training. It seems that "checking the box" rolls downhill. The only difference is, when the course takers check the box, they also check out, forgetting what they learned only minutes after completion.
But Yokley, together with information security engineer Kim Hickman, decided it was time to take a different approach—a radically different approach. An approach that would mean escaping from the box of traditional, yet ineffective and uninspiring training that ultimately yields nothing but annoyance and dissatisfaction. Did their departure from the well-worn path work?