Humor and storytelling humanize awareness training programs for better knowledge retention and employee engagement.
By Sean Brady, VP, Product Management at Mimecast
Bueller? Bueller? Anyone?
We’ve all experienced a boring teacher who completely lost the interest and participation of the class. I have a teenager, and it’s remarkable to watch how fast he switches off and rants about repetitive or unengaging lessons on the ride home from school. If the brain is meant to be a sponge, a boring teacher offers little for it to absorb. The same is true of security awareness training and user behavior.
With email-driven cyberattacks on the rise, awareness training is a key foundational pillar in establishing a culture of cyber engagement within an organization. The problem, though, is that security awareness training programs, when executed poorly, are reminiscent of the bone-dry lessons from our school days. Training can bring our academic foibles to bear; perhaps we resent getting lectured, don’t care about the course material, or have anxiety about being tested. Maybe we’re all just teenagers at our core.
And yet the efficacy of strong awareness training is clear: Employees who receive consistent security awareness training are five times more likely to spot and avoid clicking on malicious links, according to the Mimecast 2022 State of Email Security Report.
The challenge for security teams lies in finding a program that is both informative and engaging. Awareness training should drive home key concepts while providing reporting metrics for organizations. On a tactical level, training needs to recognize and support the diversity of its audience. How can you appeal to both the accountant and graphic designer while also factoring in varying ability, genders, origins, languages, and backgrounds? And as the cherry on top, training should be enjoyable. Humor is a key part of any effective training program and can help establish widespread engagement on the awareness level, get the right message across, and build a more cyber aware culture over time.
Think back to your favorite teacher from school. What were the characteristics that made them a good teacher? They may not have taught your favorite subject, but they were able to deliver the subject matter in a way that struck a chord. That’s what a comedic spin can do in security awareness training.
Humor is the best path to finding common ground and driving engagement. Envision a training video with a lone presenter speaking in front of a greenscreen vs. a light-hearted skit shot in an office setting with characters that are consistent throughout the program. Which is more relatable? Which tells a better story?
No one’s job is to be trained—our jobs are to do a variety of things across the organization. Training should feel like a brief reprieve from daily tasks, not a chore to be completed. Levity and creativity that keep employees guessing (and chuckling at their desks) nudge them toward immediate engagement and completion rather than avoidance.
Cybersecurity training covers serious topics with real-world impact on humans and businesses around the world, so comedy should be leveraged with tact. However, when used tastefully, it can foster a deeper connection with employees across various disciplines, learning styles, and educational backgrounds.
The core characteristics that make teaching effective include humor, brevity, consistency, interactivity, and testing. The same goes for awareness training, though there is of course much more to consider. Below are some key considerations to build an exciting security awareness training program:
Mandatory training of all kinds in the workplace has long been boring and ineffective. In an increasingly people-first workplace, organizations need to appeal to the humanness of their employees with humor and storytelling in order to drive engagement and retention. With a topic as critical as cybersecurity, this holds especially true. If your organization hasn’t yet embraced comedy in its security awareness training program, it could be missing the chance to teach employees a key concept that will stop the next major cyberattack.
As Vice President, Product Management at Mimecast, Sean Brady has over 20 years of experience in product roles across the information security sector. Prior to Mimecast, Sean spent four years at Sophos leading product management for the Sophos Central platform. Before Sophos, Sean worked in a number of product management and marketing roles across multiple companies, including global DDoS solution provider Netscout/Arbor Networks and RSA.
Tune in to hear from Chris Brown, Vice President of Sales at CADDi, a leading manufacturing solutions provider. We delve into Chris’ role of expanding the reach of CADDi Drawer which uses advanced AI to centralize and analyze essential production data to help manufacturers improve efficiency and quality.