Humor and storytelling humanize awareness training programs for better knowledge retention and employee engagement.
By Sean Brady, VP, Product Management at Mimecast
Bueller? Bueller? Anyone?
We’ve all experienced a boring teacher who completely lost the interest and participation of the class. I have a teenager, and it’s remarkable to watch how fast he switches off and rants about repetitive or unengaging lessons on the ride home from school. If the brain is meant to be a sponge, a boring teacher offers little for it to absorb. The same is true of security awareness training and user behavior.
With email-driven cyberattacks on the rise, awareness training is a key foundational pillar in establishing a culture of cyber engagement within an organization. The problem, though, is that security awareness training programs, when executed poorly, are reminiscent of the bone-dry lessons from our school days. Training can bring our academic foibles to bear; perhaps we resent getting lectured, don’t care about the course material, or have anxiety about being tested. Maybe we’re all just teenagers at our core.
And yet the efficacy of strong awareness training is clear: Employees who receive consistent security awareness training are five times more likely to spot and avoid clicking on malicious links, according to the Mimecast 2022 State of Email Security Report.
The challenge for security teams lies in finding a program that is both informative and engaging. Awareness training should drive home key concepts while providing reporting metrics for organizations. On a tactical level, training needs to recognize and support the diversity of its audience. How can you appeal to both the accountant and graphic designer while also factoring in varying ability, genders, origins, languages, and backgrounds? And as the cherry on top, training should be enjoyable. Humor is a key part of any effective training program and can help establish widespread engagement on the awareness level, get the right message across, and build a more cyber aware culture over time.
Humor as a Universal Training Language
Think back to your favorite teacher from school. What were the characteristics that made them a good teacher? They may not have taught your favorite subject, but they were able to deliver the subject matter in a way that struck a chord. That’s what a comedic spin can do in security awareness training.
Humor is the best path to finding common ground and driving engagement. Envision a training video with a lone presenter speaking in front of a greenscreen vs. a light-hearted skit shot in an office setting with characters that are consistent throughout the program. Which is more relatable? Which tells a better story?
No one’s job is to be trained—our jobs are to do a variety of things across the organization. Training should feel like a brief reprieve from daily tasks, not a chore to be completed. Levity and creativity that keep employees guessing (and chuckling at their desks) nudge them toward immediate engagement and completion rather than avoidance.
Cybersecurity training covers serious topics with real-world impact on humans and businesses around the world, so comedy should be leveraged with tact. However, when used tastefully, it can foster a deeper connection with employees across various disciplines, learning styles, and educational backgrounds.
How to Implement a Best-in-Class Security Awareness Training Program
The core characteristics that make teaching effective include humor, brevity, consistency, interactivity, and testing. The same goes for awareness training, though there is of course much more to consider. Below are some key considerations to build an exciting security awareness training program:
Find training that empowers, not belittles: One danger of awareness training is falling into the trap of endlessly badgering employees about why they’re the problem. No one wants to open a training video to receive their two minutes of condescension for the day. Security awareness training should instead position employees as a critical line of defense with the potential to stop cyberattacks. Humor is a great tool to package up knowledge in a fun and empowering manner.
Monitor pass rates and participation to gauge efficacy: Are you seeing higher pass rates over time? Have employees completed training within 24 hours, or do they need to be nagged? Monitoring these metrics can give security teams insight into whether there’s a culture lacking in participation, and if so, how they can change that with the training. Monitoring the results also gives your organization the opportunity to provide more training to the employees who need it.
Make sure to vet your vendor: It’s important to consider what informs the training. Is your training vendor’s program built off data alongside a strong understanding of security and how employees engage with email? Do they leverage humor and storytelling, or stick with traditional corporate messaging? Your vendor’s expertise and methodology will impact the training’s approach and results.
Focus on long-term goals: What’s the future of the program? If you’re driven by compliance alone, you’ll sign up for a program, check the box, and move on. To drive a lasting impact, security teams should identify where their program is moving directionally so that it will engage employees in the long term. From there, you can align with your provider on how they’ll evolve the program over time.
Mandatory training of all kinds in the workplace has long been boring and ineffective. In an increasingly people-first workplace, organizations need to appeal to the humanness of their employees with humor and storytelling in order to drive engagement and retention. With a topic as critical as cybersecurity, this holds especially true. If your organization hasn’t yet embraced comedy in its security awareness training program, it could be missing the chance to teach employees a key concept that will stop the next major cyberattack.
As Vice President, Product Management at Mimecast, Sean Brady has over 20 years of experience in product roles across the information security sector. Prior to Mimecast, Sean spent four years at Sophos leading product management for the Sophos Central platform. Before Sophos, Sean worked in a number of product management and marketing roles across multiple companies, including global DDoS solution provider Netscout/Arbor Networks and RSA.