Push the Button: Making Security Training Fun and Interactive
Authors:- Eric Goldman
1 Jun 2019 :: Security :: #human factors #training #security awareness #journal article
Citatation
Goldman, Eric H. (2019). Push the Button: Making Security Training Fun and Interactive. International Journal of Information Security and Cybercrime (IJISC), Volume 8, Issue 1, 30-34.
DOI/FullText at: https://www.ceeol.com/search/article-detail?id=833997
Abstract:
As humans, we are all constantly trying to find the signal in the noise. Unfortunately, the topics and behaviors that we, as corporate security trainers, are trying to explain, teach, and reinforce are often seen as noise to those whom we are targeting. Therefore, to achieve our goals we need more than pertinent information and slick graphics; we need to find ways to stand out, capture people’s attention, and find a way to cement our desirable security behaviors with positive associations. An effective strategy to stand out, make your message more memorable, and to build a positive reputation for your security team is to incorporate interactive exhibits and activities in your security training program.
Understanding Your Place in the Noise
Security awareness and training in corporate environments is difficult. Even employees with a light workload are often unreceptive or obstinate when asked to enroll in compliance and security training. Worse, it often seems like the employees performing higher risk activities are the hardest ones to reach and influence. Today’s information workers spend most of their workday in front of their computers. While this makes it technically easy to reach them, on the computer screen, you are always competing with something else, be it never ending emails, advertisements, news, games, or anything else specifically designed to steal your users’ attention. Layer on mobile phones and other devices, which are also easily accessible, and you are fighting a constant barrage of nudges and push messages whenever you try to communicate digitally. Commonly, we think the challenge is overcoming apathy towards training and low prioritization; however, the bigger challenge is that, as they say in marketing, we are trying to win the “battle for attention.”
The go-to method for training and communications today is via digital channels. Especially for distributed and global organizations, email and eLearning are the most obvious way to scale at low cost. Unfortunately, the reality is that usually nothing digital is consumed in isolation. For better or worse, information workers are conditioned to multitask and constantly shift priorities. This has the unfortunate side effect of information being missed or ignored when delivered via email, social media, or eLearning. Even when employees do enroll in training it is often not completed in a timely manner, is not taken seriously, or is performed in a cursory and perfunctory manner. While this can achieve check-box compliance, merely skimming materials to answer the certification quiz is ultimately unproductive and leads to a distaste for the training content. Even if employees earnestly and sincerely attempt some computer-based training (CBT), their divided attention results in reduced comprehension and retention of key concepts. Even interactive CBTs with activities, quizzes, etc. are often not truly designed to be engaging (often they are designed chiefly to prevent blind click-throughs) and rarely result in any type of concept proficiency beyond basic recall and terminology recognition.
Go where you will be heard
Attempting to counteract all these distractions can be difficult. It is an uphill battle, often further complicated by unitive learning management systems (LMS) and unsupportive management. However, you can find more favorable conditions and sidestep these challenges by taking your training to an environment with fewer distractions and competitors.
Meet your users someplace where they are not glued to the screens on their desks or in their pockets; there you will be better able to capture their attention. However, this does not mean simply putting up a poster in the break room. Instead, host an activity that will result in memories built on knowledge and hands-on experience. An individual is better able to create strong memories when there is context and connection with people and places instead of isolated facts. By engaging with employees through interactive exhibits and activities you give your message a better chance of being initially heard, encoded, and actively recalled.
Grab their attention and keep it
The foundation of an effective interactive learning experience is friction. Friction, in this sense, means there needs to be some physical action, back and forth discussion, etc. A friction experience requires an individual to stop and refocus. This is important because an individual away from her computer may still be stuck on lingering thoughts. Moreover, friction creates memories that are more likely to be retained long term. This is especially true when there is some tactile or active element. Visit any children’s museum and you will see that there is always some button or flap to uncover, even when an exhibit is mostly text on a wall. The friction serves to slow down and regulate the process. Note, however, there can be too much friction – you don’t want your interactive experience to be frustrating or mentally taxing due to lack of clarity or unnecessary complexity.
In addition, good interactive experiences are usually not “learn then recall” exercises. Rather, they start with questions or challenges that then lead to answers. This forces the individual to problem solve and build context, resulting in deeper thinking compared to rote learning. This does not mean, however, that you should aim for an open ended or philosophical experience. An interactive activity should be focused on one or two topics and should enable the learner to take concrete and specific future actions. While it is tempting to maximize your opportunity, you must be careful not to create your own noise. An interactive exhibit should be easy to consume in passing. Keep it “short and sweet.”
Lastly, find ways to generate interest. This means more than sending out an email or putting up a flyer. Two strategies you should consider utilizing are the discoverable experience and network effect. A discoverable experience is usually something simple that one can interact with on her own and often appears with little to no context. The goal is to create some curiosity that calls out to a passer-by to interact. When something is unexpected and unfamiliar, your instincts tell you to stop and investigate. Find a high traffic area and do something to stand out. For example, you could present a sign asking a question reinforcing a current training topic, and then direct the user to walk around the corner to find another sign with the answer and explanation.
You can also build upon this experience by utilizing network effect. Training is usually delivered and communicated in a top-down approach. Utilizing network effect means interest is generated and your exhibit is promoted in a peer-to-peer manner. You want to find ways to make someone say to their colleague, “You need to check this out!” A simple, fun interactive experience, especially an interesting discoverable experience is newsworthy, and people will want to share. Peer-based promotion results in improved reception of the training and a better form of encouragement for the next person. It also further reinforces the memory and lesson for the person promoting the activity to her peer.
I’ll show you how to push my buttons
Creating an interactive experience can at first seem daunting; however, the complexity is far less than what is required for eLearning. With eLearning, trainers need to learn multiple systems and must worry about compatibility between backend systems and end user workstations. Your interactive learning exhibits can be crafted with minimal dependencies and basic understanding of mechanics. If you are not mechanically inclined, this is a great opportunity to reach out to your corporate community; you can enlist the help of others to build the experience with you, creating allies and promoters in the process.
Of course, it is not necessary to create something overly elaborate. For example, one of the most successful interactive exhibits I deployed relied on nothing more than a poster and four off-the-shelf voice recording buttons. Deployed during Security Awareness Month, we utilized this interactive exhibit to reinforce strong password creation principles with our employees. The poster posed a simple, straightforward question, “Can you spot a strong password? Consider each of the four passwords below – which passwords are safest from hackers?” Underneath this question, four different password/passphrase options were provided, two very weak and predictable, while the other two were very strong. In order to find out if the password was strong or weak, the user had to push the corresponding button under the password/passphrase. When pushed, the button would play a short audio recording with an explanation.
We intentionally caused friction in a few ways. First, people generally expect only one correct answer, but we provided two; therefore, even confident individuals would often struggle between both correct choices before playing the recordings to see if they were correct. Further, the individual needs to physically push the button and listen at the pace of the recording (it is not possible to skim audio in the same way as text). We mounted our exhibit on a wall in a very high-traffic area. We did not actively deploy any publicity, but we generated great word of mouth referrals. On several occasions, we observed from afar people interacting with our buttons who seemed to be well engaged and interested; sometimes, we would approach people while they were experimenting with the buttons to engage in conversations. On other occasions, we witnessed groups of people convening around the buttons and actively discussing the problem together. These group interactions help to reinforce concepts and lead to stronger memories among the individuals.
While we did not actively track the number of participants, we saw discussions and comments on internal social media and some company leaders talked about the buttons during company communications. People genuinely enjoyed the activity and mentioned as much on several occasions to members of the security team. In addition, it was very low maintenance to deploy as it did not require any active monitoring or explanation by a trainer. Exhibits like these are easy to deploy across multiple organization locations. Note, however, you will require a dependable person at each location to scout out a good location and occasionally ensure the exhibit is intact. The total cost was around 100 dollars, including printing and ancillary supplies like glue. This means it could be deployed at numerous locations for less than the cost of an off-the-shelf eLearning module from a training company.
We learn through play
Another example project was our Creepy or Clever interactive game that we deployed for Data Privacy Day. Creepy or Clever is a concept we introduce during new hire training to help guide our employees to use customer data respectfully. We created a simple web-based game where the player is presented with five different scenarios. Each scenario describes a hypothetical product feature or marketing idea, for which the player must decide if the idea is good for business and the customer (clever) or risky or inappropriate (creepy). Instead of deploying the game through an LMS, we hosted a live event where people could discuss scenarios with other players, as well as members of the security team. We connected computers to large TVs and created USB-connected buttons (one button for creepy and another for clever) to simplify the game play (the game could just as easily be deployed at lower cost using keyboard and/or mouse).
In addition to the gameplay, we also included some other aspects to help with reinforcement and retention. First, after each player finished, she was given a security team promotional item, regardless of score. In addition, we would also discuss the player’s thoughts on the scenario with her so we could help improve her ability to identify issues and point out important details that may have been missed. The discussion portion helps to cement concepts, and it also provides the opportunity to provide customized feedback, which would not be possible in an eLearning or lecture environment. In addition, the discussion provides a great opportunity to create a positive association with the security team members and to humanize the security team. Beyond opening a dialog, we also presented useful information and handouts on identity theft protection so that participants could draw a personal connection to our message: While our primary objective was to educate employees on protecting customers, the identity theft protection materials help to make the issue directly relevant and personal to the learner.
After the event concluded, we left the game running as a self-service activity. We designed the game using a conversational flow design, so there is still some friction when played independently and we debrief in-game on each question whether answered correctly or not. The physical presence of security team members was a great booster, but the game still provides tremendous value on its own. While we employed in-house expertise to create our virtual game, the same concept could be produced using posters, flip charts, or other non-digital means and at low cost. From a metric standpoint, it is easy to track the number of participants digitally, but in a non-digital format you could create a contest where the entry form requires noting the correct answer to the five question to win the prize. Ultimately, the project was a success. Participants found the game easy and fun, with many noting they would refer their colleagues to check out the exhibit. Even if those peers would not later come in person, we found participants were likely to talk about the game and were willing to share key takeaways on our behalf.
Integrating interactivity into your program
While deploying interactive exhibits provides your security team and your employees with great outcomes, it must be recognized that they are additions, not replacements for other elements of your security awareness program. First and foremost, it is difficult to make an interactive exhibit compulsory and participation can be difficult to track. Traditional eLearning or classroom-based training will likely still be required for compliance purposes and to ensure that all employees receive the minimum exposure to topics. With that in mind, upfront planning can allow you to create specific interactive exhibits that coordinate and therefore reinforce training delivered online (as was the case with Creepy or Clever, which builds upon our mandatory new hire training). In addition, if deployed too frequently or if too many activities are deployed at the same time, they lose their novelty. Interactive learning should be deployed concisely and strategically, only when it makes the most sense.
Furthermore, creating, managing, and running interactive exhibits requires the correct mindset. There are many practitioners of security awareness who focus on project management or who take on the responsibilities in addition to technical security work. One must be empowered to be creative and needs the support of team members in other functions to deploy an interactive exhibit. In some cases, your security awareness program manager may be up for the challenge, but it can be hard to engage others to support. This can be a challenge in a multi-location organization where the security team does not have local connections or support to run the event. While travel is one option, you can often leverage colleagues in human resources, communications, and even facilities management. For simple exhibits, it should be possible to provide all materials and setup instructions by mail. However, you will still need to utilize people management and influencing skills to ensure success.
Other Considerations
Your interactive exhibit/activity should be simple to understand and execute. While you want some friction in order to gain individuals’ attention, you want to keep the actual activity simple and to the point. To this end, use simple language and focus on actions. For example, instead of spending time trying to teach the definition of phishing, simply say fake or fraudulent email. Avoid using jargon, unless you are making an activity for a specific group or role in your organization. In addition, consider usability and accessibility. Use easy to read, large fonts and test the readability of text from a few feet away. Lastly, think about the time it will take to complete your activity. Keep it as short as possible by sticking to core information and avoid unnecessary or tangential information. Be sure to test your interactive exhibit or game with a test group who was not involved with the design or preparation.
When it comes time to execute, remember that if it is not a mandatory activity you need have a strategy to maximize participation. As noted above, choosing a high traffic area is an important first step. While initially you may avoid direct publicity in order to create a discoverable experience, after some time you may need to turn to active promotion. If there are live hosts for your activity/exhibit they are responsible for encouraging participants to share their experience with their peers. Empower your hosts to reach out to people passing by even if they do not seem initially interested. If the exhibit is self-service, you can include a hand-out that includes a call to action to share. Ultimately, however, remember that some people may not have the time or may simply not want to participate; 100% participation would be ideal, but it is not a realistic goal to set. Being overly pushy could leave non-participants with negative feelings toward the topic and your security team.
Conclusion
Interactive exhibits and activities are a fun and cost-effective way to enhance your security awareness program. First and foremost, they allow you to reach individuals in environments free from distractions and multitasking. An interesting interactive activity creates will help create a positive association with the content and your security team. In addition to being worth sharing, interactive and tactile elements result in the formation of stronger memories compared to information presented on screen. Successful interactive exhibits do not require complexity and can often be implemented at multiple sites cost effectively.