"I've been involved with security awareness training for several years now, and I can't remember one single compliment on any of our previous courses," sighed Alex Yokley, Director of Corporate Information Security at Western Union.
Sound familiar? Probably so, as too many people involved in training employees on information security are singing the same song. And who can blame the bored employees? The fact is most compliance training programs are incredibly dull. User surveys consistently report that the only reason people take the courses is because they have to.
It turns out that employees taking required courses are just checking a box—just like the many information security people who administer the training. It seems that "checking the box" rolls downhill. The only difference is, when the course takers check the box, they also check out, forgetting what they learned only minutes after completion.
But Yokley, together with information security engineer Kim Hickman, decided it was time to take a different approach—a radically different approach. An approach that would mean escaping from the box of traditional, yet ineffective and uninspiring training that ultimately yields nothing but annoyance and dissatisfaction. Did their departure from the well-worn path work?
[Money transfers, creative scammers, and fraud]
It did, indeed. Upon rolling out the newly designed course, the duo began to sing a very different kind of song. "We've been overwhelmed," Yokley says, "by the incredible volume of positive responses we received within just the first 24 hours of launching the course. It was, in every respect, a huge success." And with hard data in hand to prove that success, Yokely and Hickman continue to push the boundaries of information security education. We recently sat down with them to learn more about how they accomplished it.
What led you to undertake such a bold awareness training initiative?
Kim Hickman (KH): For years we'd been conducting the traditional training courses; the usual bunch of slides that takes you 30 minutes to get through. And one of the things they all seem to have in common is they push way more information than anyone can realistically take in. What's more, they leave it to the course takers to decipher which pieces of that training actually apply to them. So rather than lose them altogether, we wanted to find something that would be more engaging and fun and yet still get the point across.
Alex Yokley (AY): Historically, our courses were like many other corporate training courses you see: lots of bullets, lots of words, lots of mandatory clicking, and a test at the end. They're just boring. Besides, the annual training courses are really not the ideal time and opportunity to be teaching people new concepts. People just don't retain the content when it's presented in that way. Rather, the annual event should be an occasion to reiterate the basic concepts that they should already know, but just need to reinforce. That led us to reevaluate the whole process, to approach the training in a different, more relevant and effective way. And that's what provided the spark to create what became the "Day in the Life" course.
Tell me more about the central theme that drove the development of the course content.
AY: We all have little "security moments" throughout the day. Oftentimes you don't even notice them, but subconsciously you're actually making a decision. It's either a good decision or a bad decision. The big idea behind our course was to simulate those every day moments, and in the process, teach people the proper responses when confronted with those forks in the road. Frankly, they don't care that there's a government regulation driving this; they just need to know in that moment how to respond. So we identified the scenarios that would apply to almost everyone in the company—all the common dilemmas that we all face, and those became the basis for the course.
That's quite a departure from the typically rigorous coverage of a broad scope of security awareness issues. Most traditional courses really do try to cover all the bases.
KH: That's right, they do. But instead of the hundred things that you might think about from a security perspective, we really pared it down to the ten issues that affect everybody. So instead of a hundred topics, of which only ten might actually be relevant to the individual taking the course, we focused on what matters most to everyone in the organization.