COVID-19 has forced millions to work from home; meanwhile, the rate of data breaches, ransomware demands, and other cybercrimes has climbed dramatically—yet employee training remains outmoded, over-commoditized. For companies to defend themselves, says Stronger International, a new approach to employee training is needed.
Heather Stratford, CEO of cybersecurity firm Stronger International, notes that 2020 has been a good year for cybercriminals. Recent studies show a 238% increase in cyberattacks against banks(1) and a 667% increase in phishing schemes.(2) On the ransomware front, there has been a sevenfold increase in attacks(3), and the average ransomware payment has increased by a third, to $111,605.(4) Meanwhile, business leaders agree that the single largest cybersecurity risk to U.S. businesses is employee negligence, such as accidental loss of a device or a document.(5)
“The problem isn’t really lack of employee training,” says Stratford. “There’s a lot of cybersecurity awareness training going on. The problem is that much of it doesn’t accomplish anything.”
A recent study conducted by Forrester Consulting, for example, found that while 59% of surveyed security and IT managers thought their security compliance training was adequate and effective, more than half of surveyed employees disagreed. More than one-third of surveyed employees who had attended security awareness and training (SA&T), in fact, still admitted to disregarding security policies.(6)
One key reason for this disconnect, says Stratford, is that they rely on outdated content delivery approaches such as lengthy presentations followed by assessment testing. This, she says, is not how today’s workforce processes information. Research shows that today’s typical employee works on a task for about 11 minutes before being interrupted by a phone call, an email, or a co-worker. Within that span of 11 minutes, he or she engages in multiple short, quick tasks that average about three minutes each. If the task involves consuming digital information, the average worker spends just 20 seconds on one piece of content before moving on to the next.(7)
For such employees, notes Stratford, microlearning, which involves breaking content into bite-size chunks and testing learners on each small piece of information, results in deeper engagement yielding better results than traditional training methods. In a study conducted by Dresden University of Technology, students taught through microlearning showed a 22% greater retention of information than a control group given traditional training on the same material. In addition, the microlearning group took 28% less time to answer questions and performed 8% better on a comprehensive exam covering all the material.(8)
A highly effective approach in today’s cybercrime-threatened workplace, says Stratford, would be to combine microlearning with gamification, which involves the application of typical elements of game playing (point scoring, competition with others, rules, etc.), to cybersecurity awareness training. Contemporary workers, a large percentage of whom are members of the much-studied millennial generation, she notes, respond extremely well to gamified material, not only in terms of content retention, but in their overall relationship to the organization.
In a 2019 study of employees whose work involved the use of apps or software that incorporated elements of gamification, 83% of those who received gamified training said they felt more motivated by it; 61% of those who received non-gamified training, on the other hand, said it made them feel bored and non-productive. When asked in which category of app they would like to see more game-like effects, the largest contingent—33%—selected training software.(9)
“In today’s world,” says Stratford, “it is essential to provide employees with the information they need to help prevent cybercrime, and to provide it in ways that ensure the employees remember and make use of it.”
Properly applied, gamification and microlearning are tools that can make a significant difference not only in employee engagement and satisfaction, but in overall corporate security. Stratford claims the industry has gotten lazy— over-commoditized, competing only on price, and even lowering the price so low to shut out the competition that it has created a real imbalance.
“Microlearning gamification will be the paradigm shift that will remove fear-monger selling and the commodity trap for the entire industry,” she continued. “A little personal touch is going to go a long way.”