If you’ve ever taken a security awareness training course, aside from a phishing assessment that tests your skill at avoiding email attacks, you may not have noticed something that’s really pretty obvious. Security awareness training is typically delivered using a “learning management system” or LMS that has a very predictable format.
It delivers what we call “static content”, such as pages of text, audio or video. We call it static because it’s the same very time you view it and you can’t interact with it – or if you can, it is very minimal interactivity. Then you get quiz questions to test you on what you were just told.
But the big problem with all of these LMS-based training programs is that they assume you have an interest in learning and will pay attention. If you’re not interested, you might understand the content, and remember enough to pass the quiz a minute or two later.
But you really haven’t committed it to long term memory. And you aren’t likely to remember it when you are faced with a real-world situation, together with emotional inputs.
The way I often put this into an analogy is, if you are taking self defense lessons, you don’t usually do that in a single white board session or a Youtube video. It won’t help you when you are facing a real physical attacker. You need to practice and get to know the feelings around the situation.
With security awareness, many managers have come to expect that the results will have minimal impact on employee behavior. So it’s more of a compliance exercise, and a cost center. And so they limit the time and money they will spend on this kind of training, virtually guaranteeing that it won’t show meaningful results. It’s a vicious circle.
Only when managers see a real shift in the rate of incidents involving employee decisions or a visible change in culture, will they consider encouraging employees to spend more time “practicing”. And only when employees actually enjoy the experience will they want to do a training session more than once.
You may think this is never going to happen. But the most common feedback we get is that Click Armor is fun, and that people are more competitive than they think they are about the leaderboard.
So, if you’re feeling like you’re in a no-win situation, where targeted threats against employees are escalating, but your security awareness program is not effective because people don’t engage with it, then you might want to give Click Armor a try. After all, it’s free to do a trial, just to see if it can make a difference for your organization.
I think you’ll see a big difference from the LMS based training you may have been using.