"I've been involved with security awareness training for several years now, and I can't remember one single compliment on any of our previous courses," sighed Alex Yokley, Director of Corporate Information Security at Western Union.
Sound familiar? Probably so, as too many people involved in training employees on information security are singing the same song. And who can blame the bored employees? The fact is most compliance training programs are incredibly dull. User surveys consistently report that the only reason people take the courses is because they have to.
It turns out that employees taking required courses are just checking a box--just like the many information security people who administer the training. It seems that "checking the box" rolls downhill. The only difference is, when the course takers check the box, they also check out, forgetting what they learned only minutes after completion.
But Yokley, together with information security engineer Kim Hickman, decided it was time to take a different approach--a radically different approach. An approach that would mean escaping from the box of traditional, yet ineffective and uninspiring training that ultimately yields nothing but annoyance and dissatisfaction. Did their departure from the well-worn path work?
It did, indeed. Upon rolling out the newly designed course, the duo began to sing a very different kind of song. "We've been overwhelmed," Yokley says, "by the incredible volume of positive responses we received within just the first 24 hours of launching the course. It was, in every respect, a huge success." And with hard data in hand to prove that success, Yokely and Hickman continue to push the boundaries of information security education. We recently sat down with them to learn more about how they accomplished it.
What led you to undertake such a bold awareness training initiative?
Kim Hickman (KH): For years we'd been conducting the traditional training courses; the usual bunch of slides that takes you 30 minutes to get through. And one of the things they all seem to have in common is they push way more information than anyone can realistically take in. What's more, they leave it to the course takers to decipher which pieces of that training actually apply to them. So rather than lose them altogether, we wanted to find something that would be more engaging and fun and yet still get the point across.
Alex Yokley (AY): Historically, our courses were like many other corporate training courses you see: lots of bullets, lots of words, lots of mandatory clicking, and a test at the end. They're just boring. Besides, the annual training courses are really not the ideal time and opportunity to be teaching people new concepts. People just don't retain the content when it's presented in that way. Rather, the annual event should be an occasion to reiterate the basic concepts that they should already know, but just need to reinforce. That led us to reevaluate the whole process, to approach the training in a different, more relevant and effective way. And that's what provided the spark to create what became the "Day in the Life" course.
Tell me more about the central theme that drove the development of the course content.
AY: We all have little "security moments" throughout the day. Oftentimes you don't even notice them, but subconsciously you're actually making a decision. It's either a good decision or a bad decision. The big idea behind our course was to simulate those every day moments, and in the process, teach people the proper responses when confronted with those forks in the road. Frankly, they don't care that there's a government regulation driving this; they just need to know in that moment how to respond. So we identified the scenarios that would apply to almost everyone in the company--all the common dilemmas that we all face, and those became the basis for the course.
That's quite a departure from the typically rigorous coverage of a broad scope of security awareness issues. Most traditional courses really do try to cover all the bases.
KH: That's right, they do. But instead of the hundred things that you might think about from a security perspective, we really pared it down to the ten issues that affect everybody. So instead of a hundred topics, of which only ten might actually be relevant to the individual taking the course, we focused on what matters most to everyone in the organization.
AY: If every employee knew how to respond to those ten scenarios, our overall security would go way up. The fact is, every employee walks in the door every morning and might experience a tailgating situation. And that's true whether you're a hard-core systems developer or the VP of Sales or an administrative assistant. We all get emails, some of which are dangerous. We all surf the Web and need to know which sites are safe. So we set out to find those common denominators that speak to every employee. And only with that baseline established can we really begin to introduce the more advanced concepts, which we do throughout the year. Again, people don't care about regulatory compliance, per se; they simply want to know what's in it for them--and that was another key aspect we wanted to build into the course. One way we approached that was to arm people with the kinds of security awareness information that they can also use at home, whether it's identifying phishing emails or knowing that a website is encrypted before they submit their credit card information. That's valuable information they can apply at work and at home, making it even more relevant to a wider audience.
Another "radical" step you took was to eliminate the test at the end of the course. Why did you do that?
KH: There was definitely a conscious decision to eliminate the test at the end. The notion of the test comes from that traditional "check the box" mentality. Our objective is not only to drive completion from a compliance standpoint--which obviously is important--but retention of the information that ultimately leads to a change in behavior. When the course is fun and engaging not only do you get a better completion rate, but better retention, as well. So, with the guidance of MediaPro, our training solution provider, we designed our course to test and reinforce their knowledge in a more natural manner as they progress through the various scenarios.
AY: The knowledge checks occur throughout the course, which provides a more organic context. It's also at those points that we want people to be engaged--that's really where they "get it." There's no need to test them twice. We apply techniques within the course where, for each of the ten scenarios, a little bell goes off, alerting them to a new security moment. For example, there's a scene where a character finds a flash drive in the parking lot and wonders what he should do with it. In real life when someone finds a flash drive, maybe that little bell will go off in their head and they'll realize that this is in fact an actual security moment. And the decisions they make will either strengthen or weaken our overall security just that much. As Kim mentioned, the employee taking the test in a traditional sense also has this "check the box" mentality. But by doing the training this way it becomes something bigger than that.
Did you have to work to get management support to create such a new approach to training?
AY: We really didn't have to push too hard. Everybody knew that the traditional training was not optimal, but there was a certain "wait and see" attitude. People naturally wondered, is it going to work, is it going to be too corny, too silly, too soft? But everyone was definitely open to a new approach.
KH: The fact is, we and the management were all in the same boat, and so they were supportive.
AY: There are still departments doing training the old fashioned way, but they're getting feedback from users that this is how they want to be trained. Still, it is hard for a lot of groups who are used to that traditional approach, and it does check the box. So to move away from that is a bit of a leap. Seeing others do it makes it easier, though, especially when they're successful. There's a lot of good information in the dictionary but no one reads the dictionary. You've got to find new ways to deliver the content. The reason people like this course is that it's relevant to their jobs. The situations that we portray in the course are the ones they encounter on a daily basis. And we made it fun. Those two components made it successful. And as someone who has to take training courses, I know what I like, and what I don't like. We really worked hard to incorporate the perspective of the user. The management appreciated that, as well.
Was there ever a fear that you might fall short in terms of the regulatory requirements?
AY: It's important to emphasize, our goal is not to check a box; we're actually going above and beyond mere compliance. The only requirement I've ever seen is that you conduct annual security training for all employees. The regulations don't really tell you how to do that or what subjects to cover. But our goal is to change behavior, not just satisfy some regulatory requirement.
KH: At the same time, though, we are meeting those requirements. We're not about to jeopardize that in any way. If anything, our approach to training strengthens our compliance profile because we actually take it to heart, and in ways that benefit everyone involved.
How did you go about finding a partner to develop the training?
AY: As we were looking at the companies that provide awareness training, we were referred to MediaPro by one of our colleagues, Chris Gunias, who is Director, Records Information Management. Chris had just completed a new course, and we were impressed with what he did. He took a very novel and engaging approach to privacy training, which can be pretty dry. We also knew we wanted something different.
KH: We hadn't really set out to do a custom course from the outset, but after looking at our options, it seemed to be the way to go.
AY: The pitfall you run into when you partner with a training vender, and start with their off-the-shelf course, is all this prewritten language and all these boring security facts that you just want to start stripping away. By establishing a collaborative environment with the solution provider, it allowed us to maximize the creative aspects and really hone in on the core message we wanted to deliver.
What was the process for building out the course concept?
AY: We really just started with this idea of simulating a day in the life of a Western Union employee. Once we locked that in, everyone got excited and could see the vision, and that helped build the momentum.
KH: The process itself began with creating story boards for the various scenarios. That was a very different process from what we were used to, but as we went along, MediaPro helped us to visualize what the finished product would look like. There was a lot of exchange of ideas as we settled on the various sequences. From the simple things to the more complex features, whatever we wanted to have happen in the course actually made it into the course. On the knowledge checks for example, some are simple Q&A events; others are more complicated in identifying phishing emails or other scenarios that required fairly sophisticated interactivity.
Reinforcement of the annual training event is also a key component of your program. How are you approaching that aspect?
AY: We do quite a variety of things from a reinforcement standpoint. We're presently working on a security awareness calendar that will reinforce twelve key concepts: one for every month. We also publish a blog to share bite-sized security awareness information, and we conduct regular phishing exercises, which reinforce the specialized phishing part of the course. We've actually customized all components of our program; we don't use anything out of the box. And yet, we've standardized the content across all departments and geographies. We're a pretty small team, so to provide a lot of differentiation is a challenge. We're really focused on broader tools that we can share with the entire organization.
KH: We also conduct quizzes throughout the year that provide the means to measure the results, but they have the effect of reinforcing the information, as well. We get a double benefit there.
Tell me more about how you're tracking the effectiveness of the program. Have you seen tangible results?
KH: Of course you always wonder if you're making an impact, if your efforts are paying off. So to gauge and quantify that we started conducting these 20-question quizzes, sent to a different sampling of the employee population every month. We trend the scores over time to see if, as an organization, we're getting better. And we have seen improvement since we launched the new security course, with quiz scores now averaging 89%. It is definitely raising awareness and changing behavior. We expect to see the scores continue to climb as more people take the Day in the Life course.
AY: And I would add, with confidence, the odds of people remembering this course are much higher than the odds of them remembering anything from our previous courses!
Were you surprised by the way A Day in the Life has played out?
KH: We did wonder how it was going to fly. We think it's pretty clever; we chuckle when we review it, but we also wondered whether it would be received "out there" in the same way, if would it translate all over the globe. And yet, the positive feedback came from all over the globe, not just the US colleagues. The feedback came from Lithuania, Argentina, Canada, all over. It came from different departments, different levels--the whole hierarchy--including even hardcore IT security people.
AY: We've been doing security training for years now, and none of our previous courses got any feedback from the users--positive or negative. But we received immediate feedback from users saying they loved the course, they loved this new style, it was relevant to them, they learned something, and still today, almost every day we get an email from someone complimenting us on the course. So it's nice to be able to add that qualitative feedback to the measured results.
KH: I think the key thing is simply wearing the hat of the user taking it versus the teacher teaching it, which is another aspect of the overall strategy. We're just thrilled with the results. We figured there would be some people who didn't like the new style, but we haven't heard from any of them.
AY: At the end of the day I was just hoping most people wouldn't hate it. That was my criteria for success! And we blew that away.
John Schroeter is Director of Marketing at MediaPro, a provider of security awareness training solutions.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.