Incident Response

Security awareness training: 5 essentials

With more organizations adopting a hybrid work model where some employees are in the office and others work remotely, security awareness training is more important than ever.

Unfortunately, effective training is hard when it’s being delivered to remote employees. When the person receiving training isn’t sitting in front of you, it’s hard to keep them engaged. When they’re not engaged, they are less likely to practice sound security practices in their daily work.

But there are ways to retool security awareness training for hybrid environments. Here are five such examples, according to Exterro:

1. Use the principles of gamification

As the name implies, make your training into a game. In other words, it’s like filling in a jigsaw puzzle. You put in some of the pieces, but then motivate your employees to put in the rest. First, you must introduce them to what you want to teach. For example, it could be about ransomware. In this instance, you instruct them as to how this threat variant takes place (no need to get into all the technicalities here—if you do, you will lose them instantly). Then, you engage your employees with simulation exercises to garner their interest further. To motivate them even more, you award points and recognition badges after they have successfully completed a particular task. For example, if they successfully detected the beginning of an attack (such as getting a phishing email), you award them with an honorary badge if they take the right steps to mitigate, such as deleting the email and notifying the IT Security team about it. If you use Gamification in your cyber training, it is important to break your employees into teams to foster a more collaborative environment.

2. Make the training relatable

One of the best ways to make your employees understand the full ramifications of a cyberattack is to talk about a real-world scenario. But to demonstrate its full impact, you need to relate it in a way that it has impacted somebody that they are close to, such as a coworker. It will make the strongest impression if you can bring the affected coworker in to talk about it. For example, if an employee in your company has become a victim of identity theft, perhaps you can get that person to discuss how he or she found out about it, how it affected their daily life, and the steps they have taken to mitigate the risks of this from happening again.

3. Make trainees laugh

Yes, cybersecurity is a very serious thing, but you know what? Remember this old saying, laughter is one of the best forms of medicine? Recent studies have shown that laughter is also one of the best ways to cultivate a sense of trust and goodwill among your employees to help them learn.1 A good way to engender this is to have your employees perform in various funny skits that simulate real-world security breaches. For instance, you can have one play the role of a cyber attacker, while the other plays the role of the administrative assistant. This could mimic a Social Engineering call in which the goal is to wire a large sum of money from the company into a phony, offshore bank account.

4. Use a variety of styles

One of the worst things you can do in a cyber training program is to give a lecture-style format that drones on and on. This is guaranteed to lose the interest of your employees in the first 10 minutes. So instead, mix up the training program by varying its content. For instance, the first part can be a lecture about phishing email, then a game, followed by a real-life story. With this kind of approach, you can almost bet your employees will walk away after the training with a much better sense of how to identify a phishing email, and the corrective steps they need to take if they get one.

5. Incorporate video

At the end of the cyber training, one of the best ways to recap the major points is to put them into a video, which can also add more variety. It is important to keep this video short, no more than 4 to 5 minutes in length. The video should not be someone just talking, it should be engaging as well. As an example, use cartoon-like characters to keep your employees’ interest.

Cyber training must be held on a regular basis to keep employees’ level of cyber hygiene at its highest. Suggestions:

  • Have your training sessions once a month or at a minimum once a quarter.
  • Keep them no longer than one hour in length. After that, you are guaranteed to lose your employees’ attention span.
  • Make sure you are reinforcing the concepts you have been teaching. For example, from time to time after they have completed their training, execute a mock phishing attack to see how many employees fall prey to it.
  • Make use of metrics to quantify the ROI that your company is getting from the training. This is all that your CIO and/or CISO will want to see, so if you can provide these kinds of numbers, you will have a much better shot in getting more funding for future Cyber Awareness programs.

Bill Brenner

Bill Brenner is VP of Content Strategy at CyberRisk Alliance — an InfoSec content strategist, researcher, director, tech writer, blogger and community builder. He was formerly director of research at IANS, senior writer/content strategist at Sophos, senior tech writer for Akamai Technology’s Security Intelligence Research Team (Akamai SIRT), managing editor for and senior writer for

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.