Jason Hong | January 30, 2013

Why Are Short, Interactive Training Modules the Best Way to Teach End Users?

There was a recent post in the Spiceworks community questioning this approach to training.

Here’s a link to that post.

http://community.spiceworks.com/topic/292397-is-security-awareness-training-in-modules-really-working

Directly answering the OPs question, "Would you install a firewall and slowly, over time?" Well, people aren't computers and shouldn't be treated as such.

But the OP is asking a good question: Why use short modules spread out over time, versus other kinds of training approaches?

One answer lies with the scientific research. In a comprehensive report prepared for the National Center for Education Research, several of the foremost scholars in education research (who altogether have several decades worth of experience in studying how to teach people in more effective ways) distilled the state of the research into several recommendations. Here is a link to the report: http://ies.ed.gov/ncee/wwc/PracticeGuide.aspx?sid=1

One of the report's key recommendations was that learning should be spaced out over time, separated by a period of at least several weeks or even several months. While this does put a tension on trying to solve the security problem immediately, spacing out learning over a longer period of time should make people more effective in terms of understanding the concepts and retaining what they have learned.

(The report has several other recommendations that we also incorporate into our training, including for example combining graphics with verbal descriptions, connecting abstract and concrete representations of concepts, and using quizzing to promote learning. I won't discuss these here since it isn't directly related to the OPs position statement. You can read our article in Scientific American about how we applied these and other learning science principles in our work on security awareness and training.)

Another more pragmatic reason why we went for a modular approach to security is because there are so many topics that a person needs to know to be effective. It is simply infeasible to try to cram every single topic a person needs to know into a one-day, two-day, or even three-day session and expect them to do all of them well immediately afterward. Not to mention the hit in employee productivity.

Here is a sample (and incomplete!) list of things a modern office worker needs to know with respect to security:

  • How to create a strong password
  • Why you shouldn't share passwords
  • What are phishing attacks, and how to identify them
  • What are common social engineering attacks, and what to do
  • Teaching people that social engineering can happen over email, phone, SMS, Skype, social networking sites, and in person
  • Proper handling and usage of personally identifiable data
  • Common attacks on social networking sites, and how to identify them
  • Protecting your smartphone with a PIN or other locking mechanism
  • Physically protecting your smartphone
  • Teaching people about smartphone malware and how to avoid it
  • Real examples of where people used their smartphone improperly that led to major problems
  • Making sure people are aware of the risks of malware
  • Teaching people about common malware vectors (fake AV, fake emails, fake web sites, fake codecs, etc)
  • Understanding what the different locks in web browsers mean
  • Proper use of USB keys and other kinds of external storage
  • The reality of malware attacks via USB keys
  • Proper disposal of sensitive data
  • Only using public computers for non-sensitive tasks
  • Avoiding publicly available WiFi (unless you have encryption)
  • How to check if your wireless network information is encrypted

And the worst news is that this list only keeps growing.

Now, fortunately, most of these topics don't require a degree in astrophysics to do well. We can teach people best practices in each of these areas. Furthermore, by spreading things out over time, in small chunks, we can reinforce learning of common themes, so that over time, people will be able to see and think in a certain way that can help improve an organization's overall security posture.

So, in summary, there are a number of advantages to a modular approach, in terms of improving learning, in terms of keeping the topics manageable, and in terms of employee time and productivity.

Subscribe to Our Blog

2018 State of the Phish Report  Protect your organization from phishing attacks. Download Now
2018 Beyond the Phish Report  Protect your organization from threats including and beyond phishing. Download Now