Cybercrime is on the rise, with hackers leveraging advanced AI and sophisticated social engineering tactics to exploit human weaknesses and circumvent and circumvent strong technological defenses.
Cybercriminals are outpacing companies' ability to keep up, exposing even the most trusted employees to potential threats. The only way to truly protect businesses and people is to change human behavior and build a culture of security. All employees need to understand what hackers do and help them outwit them.
The challenge is to create a program that is boring to participate in and quickly forgotten once completed.
Adopting a behavioral approach to training
Research and advisory firm Forrester Research Inc. is calling on the cybersecurity training industry to devise better ways to educate and enable “employees to protect themselves and their organizations from cyberattacks.” . To realistically accomplish this, new tools must be used as criminals become increasingly brazen in their approach.
Criminals exploit our innate humanity and send messages that trigger our deep-seated flight or fight responses. Your home is about to be foreclosed on. Your life savings are being siphoned from your account. Something bad is going to happen, and it's about to happen. Our limbic system kicks in and logic tends to fly out the window.
Users must be given the means to maintain and regain control of their emotions. This gives them the ability to pause and tap into a better part of their nature: the frontal cortex, where rational, logical thinking resides.
Psychological research offers ways to harness the human element in concert with natural human behavior to make training more effective.
Drawing from a behavioral research corpus means using techniques that have been rigorously studied and academically proven in human behavior. It's no longer speculation; there is research to support this approach.
Let's take a closer look at three of these theories and how they can inform the design of training programs that help employees build lasting connections with the goal of making safe behavior second nature. Let me explain exactly how it can be used.
use the flow
Hungarian-American psychologist Mihaly Csikszentmihalyi pioneered the field of “positive psychology,” with a particular emphasis on the concept of “flow.” This flow is sometimes described as being “in the zone.” This state increases concentration and immersion during challenging and enjoyable activities.
Most people can imagine what flow feels like, but achieving it consistently is more difficult. One of her techniques is to adapt the content and exercises to the person's level of skill. This is because materials and tasks that are too basic will bore users, and those that are too complex will confuse users.
We also need to steadily increase the difficulty of the material so that people feel challenged and engaged. Designers are increasingly borrowing techniques developed for tabletop and video games.
Learning becomes more interesting and memorable when users participate in the story, experience things, and reflect on what happened. These activities also provide a blueprint for ensuring that information is presented in easy-to-understand chunks, so you don't overload your trainees.
This approach yields results. In the Talent LMS survey, more than four out of five respondents said these gamification techniques improved learning and built stronger connections with the content.
Continuous enhancement
Content that is not reviewed is quickly forgotten. The Hermann-Ebbinghaus forgetting curve shows a series of downward slopes that represent the rapid evaporation of retained information. Less than 10% of the absorbed items are recalled after a week. This is a significant reduction when you consider the resource and time costs involved in preparing and conducting training.
Ebbinghaus' research into memory decline found that continuous learning is necessary to counteract the natural process of forgetting. It is especially important to time your repetitions.
It is not a cram class, but regular review sessions. It is famously used by the language learning software Duolingo. Duolingo uses continuous revisions and mandatory reviews to help tens of millions of users absorb, remember, and apply vocabulary and phrases.
This reinforcement should be positive in nature and make people feel increasingly competent in their ability to succeed. Aim to practice anonymously without fear.
Over time, people realize that they can repeatedly prevent various types of pseudo-phishing attacks, and they become calmer and act more rationally. And you can draw on this confidence and understanding when faced with a “real” attack.
Learning in context
Psychologists such as Lev Vgotsky focused on the concept of constructivism (not to be confused with the similarly named art movement) and developed the theory that knowledge comes from experience rather than passive absorption.
This brings us to the idea of situated learning. Mock exercises should feel connected to the user's real life. Otherwise, it can feel like a meaningless and irrelevant theory. This means that the exercises should be interspersed with terms and phrases from real life and done in an environment that feels close to everyday experience.
This makes it much easier for people to see what they do “in the classroom” as a faithful imitation of what they will encounter in real life. They will be able to more easily contextualize information and quickly recall what they did in the classroom when they return to their regular work.
Achieve a higher success rate
This is not a comprehensive list of theories related to cybersecurity training. Some may find it helpful to examine the concept of self-efficacy by Canadian American Albert Bandura, or the concept of learned helplessness by Martin Seligman, another key figure in positive psychology. yeah.
Or how Howard Garder's theory of multiple intelligences and Richard Mayer's theory of multimedia learning encourage a broader approach to creating teaching materials, and how multichannel or multimodal approaches are more important than a single form of exercise. It has been shown to be effective. Interesting and sometimes provocative literature is being published all the time, providing new insights into how people store and recall information and adapt their behavior.
The takeaway from this literature review is not that you need a PhD in psychology to make decisions about training. Instead, leaders in the field should be empowered to scrutinize the fundamentals behind a particular approach when selecting or designing training and ensure it is tied to proven techniques. You need to feel supported.
Ultimately, training based on these principles can lead to training that has a much higher success rate in creating a human-centered approach to preventing attacks on your organization. Rather than leaving the psychological toolkit to cybercriminals, we can also leverage time-tested insights from behavioral science to develop these mission-critical trainings.
These tools help ensure that employees often “win” the fight against criminals.
