EXECUTIVE SUMMARY:

End user training protects your organization from low-level and sophisticated cyber threats. It can improve decision-making, reduce human error and generally help limit cyber breaches. More than 90% of threats start with the end user, making end user training a business best practice. 

Cyber security awareness training used to mean long hours in conference rooms discussing a mélange of cyber security messages, occasionally in overly technical language. No more. Old school training commonly failed because it didn’t engage the user or move the needle when it came to truly stopping cyber threats. 

As you plan your next security awareness campaign, consider how you might teach a good friend about cyber security. What analogies would you use? What humor might you incorporate? What cool program would you present to make the learning engaging, relevant, and memorable? 

1. Pursue a behavioral science-based approach. Your goal is to change human behavior. An increasing number of cyber security awareness software vendors and businesses are incorporating brain-based methodologies into their programming. How would a behavioral scientist approach cyber security training?
2. The brain is 68% more active when having fun. Therefore, it makes sense to create a security awareness campaign with fun, interactive components. Programming that includes animation, pop quizzes, that gamify content, or that offer badges and show achievement thresholds can make the brain feel engaged, rewarded and ready to keep learning. 
3. The brain is wired for novelty. Humans naturally gravitate towards things that are new (and shiny). Keep your programming fresh and vibrant; regularly introduce a modest amount of novelty into your cyber security awareness program. The standard annual cyber security lecture in the office setting is likely the opposite of novel. 
4. Create cyber security events. Although many organizations are primarily operating virtually at the moment, cyber security events can still be fun! Think cyber security escape rooms, online scavenger hunts, and other security-themed games. Creative event options abound; the biggest challenges might be determining what will work based on your organizations’ employee culture, what messaging to focus on, and event management. 
5. Ensure that training is presented in easy-to-understand language. Offering end user training in multiple languages can potentially increase engagement and comprehension. This can help employees integrate cyber security awareness training into their day-to-day routines. 
6. Introduce topics covered within the NIST content library. NIST also provides recommendations regarding how to potentially structure cyber security awareness programs so that employees will look forward to hearing from security leaders.
7. Less is more. Employees are more likely to pay attention to cyber security if it’s not a topic that’s on full-blast everyday. Approach cyber security communications in a friendly and judicious manner that offers signal, not noise. 

End user training should be seen as an essential component of a well-run, comprehensive cyber security program. It is not a substitute for technical security configurations. For more insights into making end user cyber security awareness programs engaging and effective, click here. Lastly, for more cyber security and business insights, analysis and resources, sign up for the Cyber Talk newsletter.