We have all been there – another dreaded training session. Users sit there whilst some poor member of the IT team gives a talk on the importance of having a complex password or the reasons you shouldn’t leave your laptop unattended in a public place.
Users listen – or don’t – to the presentation, or sit at their desk, clicking their way through the latest iteration of computer-based training as fast as they can. I’ve been there – it often feels patronizing or boring and is in no way memorable or engaging.
For the CISO, it must be extremely frustrating. They give talks and seminars and roll out the best tools available on the market to educate and protect their users, who persist with ‘Password1978’ or click on that dodgy looking email. It is only natural to ask why this behavior endures and what more you can do. The answer lies in storytelling, but even the best training solutions available on the market don’t make nearly enough use of this powerful tool.
When the abstract becomes real
As someone that is a relative newcomer to the security industry, I really do have sympathy with both sides of this equation.
I never had much of an interest in cybersecurity – it was always something that happened over there, to those people. It was something that I thought you really only had to worry about if you were a big company. I never thought I would be the victim of a breach – what would they have to gain from coming after a small business owner like me? I thought I was outside of the cybercriminal’s gaze. I was wrong.
Hackers gained access to my bank account details. No great harm was done, but suddenly something very abstract became very real. I became fascinated by security and started reading. One thing that struck me was the persistent rhetoric around users – how do you train your accounting team about security? Are users to blame for security incidents? Training the untrainable.
Now that I am in the industry and know a lot more, I understand that for CISOs, these kinds of issues are a nightmare, and I have a huge amount of sympathy for them. Training people on a subject they have little or no interest in must be very hard, especially when they are busy with their own jobs. It must be difficult to get people to take notice of complex issues that can seem very abstract and don’t relate to their field.
Making security like the every day
So, I thought about users, and how you could get them more interested in cybersecurity. Thought about their behavior and what they like to do. Ultimately it boiled down to ‘how can we make security training more like their every day?’ The answer is storytelling. We all like to relax in different ways – whether that be watching a film or the TV, reading, listening to music, conversing with friends or playing video games. The common theme from all of these activities is storytelling.
It is able to create empathy and can really boost engagement – we generally watch, listen, discuss or play with content that we can either relate to, or that we find interesting. This is something that has really been missing from security training and something that we must make more of if we are to get through to users.
From a user’s perspective, you would pay much more attention and take much more from training if you were able to immerse yourself into a date with a cybercriminal, sat directly across from someone that is trying to glean information from you for a social engineering attack. Or maybe you’re inserted into the world of a law enforcement agent that has infiltrated the dark web, and is able to explore the various methods cyber-criminals use to gain access to a company.
Now compare that to the usual training users sit through. Both serve the purpose of educating users, but one is memorable and exciting; the other is run-of-the-mill and dry. I am not trying to trivialize training. It has to have serious undertones and can’t all be about having fun. Injecting a bit of realism or excitement into it, or even just making it a bit more relatable, can really help to increase engagement and drive the message home.
If we want to increase security awareness in a meaningful way, we must make better use of storytelling. If we don’t, CISOs will continue to see users with the same glazed over expression on their faces as they sit through another talk, thinking that cybercrime is something that happens to other people, and security incidents caused by users will continue, when they could be avoided.