Cybercrime is rising sharply, with hackers using advanced AI and sophisticated social engineering tactics to exploit human weaknesses to avoid and bypass strong technical defenses.
The pace of cybercriminals’ innovation is outstripping companies’ abilities to respond, turning even our most trusted employees into a potential threat. The only way to really protect companies and people is by changing human behavior and building security cultures – we need all employees to understand how hackers act – and then help us outsmart them.
The challenge is to create programs that aren’t both dull to participate in, and quickly forgotten once completed.
Taking a Behavioral Approach to Training
Research and advisory company Forrester Research Inc. has challenged the cybersecurity training industry to come up with better ways to educate and enable “the workforce to protect themselves and their organization against cyber-attacks.” In a time where criminals are getting ever more brazen in their approaches, this can only realistically be achieved with new tools.
Criminals exploit our innate humanity – sending messages that trigger our ingrained flight or fight response: your child is being held hostage; your house is about to be foreclosed; your life savings are being syphoned out of your account. Something bad is going to happen, and it’s going to happen right now – our limbic system kicks in and logic is prone to fly out the window.
Users must be given levers to preserve and regain emotional control. This will give them the ability to pause and tap into the better parts of their nature – the frontal cortex, where rational, logical thought exists.
Research from psychology offers ways to work in concert with how people naturally operate, tapping into the human element and making training more effective.
Pulling from the behavioral research corpus means using rigorously studied, academically proven techniques in human behavior. It’s no longer guesswork – there’s research to back up the approach.
Let’s look at three of these theories in more detail, and explain exactly how they can be used in designing training programs to help employees build lasting connections, with the aim of making secure behavior second nature.
Tapping into Flow
Hungarian-American psychologist Mihaly Csikszentmihalyi pioneered the field of “positive psychology,” with a particular focus on the concept of “flow.” The flow is sometimes described as being “in the zone,” where there is a heightened sense of focus and immersion during challenging and enjoyable activities.
Most people can imagine what flow looks like, although achieving it consistently is more difficult. One technique is matching content and exercises to someone’s skill level as overly basic material or tasks will bore users, while things that are too complex will confuse them.
Material also needs to steadily advance in difficulty, so people feel challenged and engaged. Increasingly, designers are borrowing techniques developed for tabletop and video games.
"Learning is made more interesting by allowing users to get involved within stories, experience things and then reflect on what happened for better retention"
Learning is made more interesting by allowing users to get involved within stories, experience things and then reflect on what happened for better retention. These activities also provide a blueprint to ensure information is presented in digestible chunks, so the trainee is not overloaded.
This approach brings results – in a Talent LMS survey, more than four in five respondents said these gamified techniques improved their learning and built a stronger connection with content.
Continuous Reinforcement
Material that isn’t reviewed is quickly forgotten. Hermann Ebbinghaus’ Forgetting Curve shows a series of declining lines, representing the rapid evaporation of retained information. After a week, less than 10% of items absorbed will be recalled, which is quite a drop when taking into account the cost in terms of resources and time involved in putting together and delivering training.
Ebbinghaus’ research into memory decay found that continuous learning is needed to counteract the natural process of forgetting. Timed repetition is particularly important.
Instead of cramming, revision occurs over regular periods. This is famously used by language learning software Duolingo, which uses continual revision and mandatory review to ensure tens of millions of users can absorb, recall and utilize vocabulary and phrases.
This reinforcement needs to be positive in nature, allowing people to feel increasingly competent in their ability to succeed. Aim for fearless, anonymous practice.
Over time, people see that they are repeatedly able to prevent different types of simulated phishing attacks, which helps them calm down and act more rationally. They can then tap into this feeling of confidence and understanding when presented with a ‘real life’ attack.
Contextual Learning
Psychologists focused on the concept of constructivism (not to be confused with a similarly named art movement), such as Lev Vgotsky, developed a theory that knowledge comes from experience, rather than passive absorption.
From this springs the idea of contextual learning. Mock exercises need to feel connected to the actual life of the user, otherwise, it can feel like pointless, irrelevant theory. This means exercises should be positioned in an environment that feels close to their everyday experience, peppered with terminology and phrases that come from real life.
This makes it significantly easier for people to see what they are doing ‘in the classroom’ as a faithful simulacrum of what they will actually encounter. They will be able to contextualize the information more easily and quickly recall what they did in the classroom when back in their normal job.
Achieving a Higher Rate of Success
This is not a comprehensive list of theories relevant to cybersecurity training. Others may find it useful to investigate the concept of self-efficacy by Canadian-American Albert Bandura or the idea of learned helplessness from another important figure in positive psychology, Martin Seligman.
Or how Howard Garder’s Multiple Intelligence Theory and Richard Mayer’s Theory of Multimedia Learning encourages a broad approach to creating material, showing that a multi-channel or multi-modal approach will be more impactful than one form of exercise. Interesting and sometimes provocative literature is being published all the time, providing new insight into how people store and recall information and adapt their behavior.
The takeaway from this review of the literature is not that one needs a doctorate in psychology in order to make decisions about training. Instead, people responsible for this area should feel empowered to scrutinize the basis behind a particular approach and ensure it connects to a proven technique when selecting or designing their training.
Ultimately, a grounding in these principles can lead to training that has a much higher rate of success in creating a human-centered approach to preventing attacks on an organization. Rather than leaving the psychological toolkit to cybercriminals, we can also use the long-proven insights from behavioral science to develop these mission-critical pieces of training.
These tools will help ensure that employees are frequently “winning” in their battle with criminal actors.