We hear all the time that users are the weakest link. And sure, it’s a trope that’s easy for us security folk to wheel out, put the blame on someone else, make ourselves feel better. But what if we could give our users the tools to become our strongest cyber defenders? What if they became our strong suit? And what if user awareness training is the answer?
grey matter.
“Another day, another load of CBTs (computer-based training) to get stuck into! Yay!” said no one, ever.
I want you to really think hard about this one. When was the last time you got super excited about watching Tony the Trainer wheel out his years old slide deck about not clicking phishing links? Were you salivating over his salacious soliloquies about smishing? Or were you, like most other people, fantasising about slamming your head into the desk and thinking whether you could make your grey matter hit the wall to the left of you if you bounced your head off the wood hard enough? Ok maybe it’s not quite that bad. But it isn’t fun, is it?
You see for me, the issue I have with security people is that we’re quick to say, “Oh well Susan clicked the phishing link and that’s why we’re all fucked.” But we’re never quick to say, “Actually, Susan totally disengaged with the training we gave her on this subject because it was boring and we framed it as a punishment for clicking on our phishing test.”
carrot & stick.
I never used to run to my detentions at school, thinking, “Wow, I’m gonna have such fun and pay total attention to Mr Armstrong retelling me about covalent bonds.” I used to slope there, hoping he’d forgotten I was too chatty in class and try to get away with messaging my friends on BBM. (I realise you can probably guess my age from this, but fuck it).
If we want to actually protect our users, if we want to empower them to actually ‘take security seriously’, then we need to reframe the entire thing. User awareness training is inherently broken. The whole thing. And yep, I’m not technical, but I know a lot about people and how they work. And I know for a fact that there has to be a better way of doing this. The ‘norm’ isn’t working for us anymore.
So how about we reimagine cyber training? Scrap what we have and start afresh. Let’s stop using training as a punishment and start looking at it as a tool for empowerment. We want our front line to be batting off attacks when they come up against them. Not falling at the first hurdle.
active learning.
A study by Harvard* found that using active learning techniques made for better learning outcomes even when students thought otherwise.
Getting our other senses involved with training allows our brains to make better connections, create deeper memories, and have more of a bloody chance of recalling information when we need to put it into practice. We give our pen testers tools like Hack the Box and Try Hack Me. So why aren’t we giving our users something more hands on too?
Luckily, here at The Cyber Escape Room Co., we’ve developed hands-on learning for high-value targets. Cyber escape rooms sound sexy, and that’s because they are. They’re interactive and fun. You might even run home and tell your other half about them. Engagement is the key here. Let’s escape the norm together. And empower our users to do better with better user awareness training. ■
If you’re looking for a team building or security training event that your team will actually want to attend, then contact us to discuss our training & events services.
book your escape room today.
Get in touch today and book your own escape room event with the esc team today!
Reading List
The latest content for your reading pleasure.
