With the constant rise of cyber security threats, organisations recognise the growing need for appropriate staff awareness training. However, the increasing amount of e-learning and other training interventions on the subject of cyber security does not always lead to the desired outcomes. On the contrary, the continuous ‘push’ of traditional training courses upon employees can quickly result in learner fatigue, with well-intended learning tools being perceived as ‘yet another module’ to sit through.

However, thanks to novel, proven methodologies, organisations also have the power to combat this cyber security awareness fatigue and engage their workforce.

The ‘Pull’ approaches versus the ‘Push’ approach

In this post we will examine the benefits of replacing a traditional ‘push’ deployment method, with a more modern ‘pull’ approach, which is better suited for mature audiences and proven to provide participants with a sense of empowerment, increasing positive learning outcomes.

‘Pushing’ cyber security awareness interventions out to your audience makes participants ‘passive’ students to be ‘taught’ or ‘vessels’ to be filled with information. This passivity can set the tone for the entire agenda, and can result in a lack of motivation and even learner resistance, regardless of the quality of the actual training at hand.  This approach can be a particularly unfavourable in the area of cyber security, which is already a subject perceived as prescriptive, with plenty of ‘you-musts’ and ‘you-must-nots’, and while many people love to learn, few like to be ‘taught’.

So, why do we push?

An obvious reason for the persistence of this approach is the convenience of habit. In a fast-paced corporate environment where stakeholders often have too many commitments to handle, it is all too convenient to stick to existing ways, and send learning out for completion without the need to dedicate more thoughts to it.

Other, related factors are the roles of time and circumstances as drivers for cyber security awareness measures. For example, the training could be an urgent response to a security incident, wherein an employee opened a corrupt email attachment. To act as a quick countermeasure that stops further employees from making the same mistake, it is only logical to push out the necessary training interventions and oblige users to complete them as soon as possible. Moreover, cyber security training is often a step towards compliance with a certain standard or regulation, meaning that prompt roll-out and an audit trail of organisation-wide completion are essential, leaving little room for more modern deployment methods.

How to pull

As the name suggests, rather than ‘pushing’ training to be completed by a certain deadline out to learners, the target audience should be drawn to the exercise, feeling as though they are making an autonomous decision to participate. Although it can seem hard to achieve, this difference in learner perception can have remarkable effects on the outcomes of an organisation’s cyber security training.

In other subject areas, ‘pull’ learning is often associated with concise ‘on demand’ resources, which learners can consult on the job, exactly as and when they need them. For example, employees could make use of a ‘how to’ video whenever they have to use a newly introduced software.

However, as cyber security awareness, knowledge, and skills need to be omnipresent throughout an organisation, the ‘pull’ methodology has to be executed not only through the idea of accessing information when and where you need it, but through empowerment, responsibility, the right timing, formats and rewards.

An effective way to pull learners towards your cyber security awareness programme is to consider it as a ‘product’, and adapt strategies from marketing and advertising to ‘sell’ it to your audience.

Empowerment and responsibility

To draw learners to the training, it is important to convey the rationale behind your awareness programme by listing the benefits and reminding staff of the potential consequences that non-compliance can have in every segment of an organisation. Following this, the training can be presented as their ‘solution’, providing them with a strong sense of empowerment and responsibility to protect the organization from cyber threats.

Timing

Unlike the traditional ‘push’ deployment for e-learning courses, the timing for release has to be considered in accordance with a number of situational factors: is it a particularly busy time of year? Have there been any recent threats in the public eye? These are just some of the many questions that learning departments and information security functions have to ask before launching a cyber security ‘pull’ awareness initiative.

Format

While ‘push’ deployment often takes the form of a weighty 45-minute to 1-hour long e-learning course, the ‘pull’ methodology should offer small learning units that are easily digestible and don’t present the audience with a ‘daunting’ task, which requires them to set aside time during their work day. To facilitate this, and keep learners coming back to explore different units, a phased roll-out can be used, offering regular reminders in the form of newly released concise ‘chunks’ or ‘learning bites’. Moreover, the content presentation has to be compelling, and encourage learners to return to explore it frequently. For this purpose, gamification can be an effective tool to drive your ‘pull’ strategy.

Rewards

Despite the seemingly optional nature of the learning, there will have to be a reward for users who choose to ‘opt in’ and take the training. This can be realised through entry into a company-wide prize draw, for example.

What if my organisation can’t adopt a ‘pull’ approach?

As mentioned, your organisation may face an immediate requirement, setting out compulsory cyber security training to be completed by everyone within short timescales, leaving stakeholders with little room for manoeuvre. However, this does not mean that you can’t make use of the pull methodology as a complimentary device to expand and reinforce your employees’ cyber security awareness. While a basic, compulsory e-learning can be ‘pushed out’ to satisfy imminent needs, additional materials or consolidation tools can be made available as attractive ‘pull’ resources at a later date. No matter how urgent the requirement, a compromise can always be found.

Find out how IT Governance can help you implement an effective Security Awareness Programme that achieves lasting cyber security awareness by tackling behaviour, culture and employee attitudes by leveraging multiple channels, media and resources.