How to Improve Cybersecurity Training

Content

Concerns about cybersecurity are growing daily, and much of the focus is on employees’ roles in maintaining system security. There is concern about employees being scammed or defrauded. I was recently interviewed for a Newsday piece about text message scams employees may encounter. Specifically, I was asked about scams involving text messages from leaders that fooled employees into giving up information to scammers or providing access to sensitive company information. The article reiterates many points about training employees to avoid sharing confidential information. My friend and fellow ATD member Larry Kravitz (follow him on social media, he’s awesome!) commented on the need for employees and organizations to educate themselves on the topic. I shared a recent ATD piece about the ineffectiveness of cybersecurity training with Larry, and it got me thinking about why this important training wasn’t effective.

Concerns about cybersecurity are growing daily, and much of the focus is on employees’ roles in maintaining system security. There is concern about employees being scammed or defrauded. I was recently interviewed for a Newsday piece about text message scams employees may encounter. Specifically, I was asked about scams involving text messages from leaders that fooled employees into giving up information to scammers or providing access to sensitive company information. The article reiterates many points about training employees to avoid sharing confidential information. My friend and fellow ATD member Larry Kravitz (follow him on social media, he’s awesome!) commented on the need for employees and organizations to educate themselves on the topic. I shared a recent ATD piece about the ineffectiveness of cybersecurity training with Larry, and it got me thinking about why this important training wasn’t effective.

Content

In ATD’s article on the lack of cybersecurity effectiveness, the researchers found that many participants completed the training in under 10 seconds. This indicates that the trainees felt the training wasn’t serious and was a “check the box” exercise. A check-the-box exercise is any training activity whose goal is to achieve a level of compliance among employees, whether learning has occurred at all. My friend Larry had given a talk at Disrupt HR a few years ago about when training was the solution and when it wasn’t. In this situation, I don’t think the problem is the training but the learning environment surrounding the training. It’s the motivation of employees to take the training seriously. As I considered the question, I developed an unpopular but very effective solution that would work well as an essential training topic like cybersecurity.

In ATD’s article on the lack of cybersecurity effectiveness, the researchers found that many participants completed the training in under 10 seconds. This indicates that the trainees felt the training wasn’t serious and was a “check the box” exercise. A check-the-box exercise is any training activity whose goal is to achieve a level of compliance among employees, whether learning has occurred at all. My friend Larry had given a talk at Disrupt HR a few years ago about when training was the solution and when it wasn’t. In this situation, I don’t think the problem is the training but the learning environment surrounding the training. It’s the motivation of employees to take the training seriously. As I considered the question, I developed an unpopular but very effective solution that would work well as an essential training topic like cybersecurity.

Testing isn’t just for evaluation

Content

As a training and development practitioner, I lean on my knowledge of industrial-organizational psychology (also known as the psychology of work) to understand how employees learn. An area where psychological researchers know a lot is learning. One of the least popular and often underutilized tools for employee learning is testing. The research shows that testing can not only be used to evaluate training but also help learners learn (Polack & Miller, 2022). In compliance-based learning, the focus is on having employees test out of the training to show completion rather than indicating genuine skill. If you want your learners to take the training seriously, take the testing after the training seriously.

As a training and development practitioner, I lean on my knowledge of industrial-organizational psychology (also known as the psychology of work) to understand how employees learn. An area where psychological researchers know a lot is learning. One of the least popular and often underutilized tools for employee learning is testing. The research shows that testing can not only be used to evaluate training but also help learners learn (Polack & Miller, 2022). In compliance-based learning, the focus is on having employees test out of the training to show completion rather than indicating genuine skill. If you want your learners to take the training seriously, take the testing after the training seriously.

Content

Testing should be relevant and doesn’t need to be a multiple-choice exam. It could be a simulation like the ones highlighted in the ATD article. Testing doesn’t need to occur at the end of the training, but short or lower-stakes learning assessments can be included throughout it. When implementing any training, the best practice is to have senior leaders emphasize its importance. In situations where employees aren’t paying attention to the training at all, asking them to pass a more difficult test to complete the training and receive the completion certificate shows how serious the topic is. If senior leaders communicate the seriousness of cybersecurity, its importance to the business, and its relevance to employees’ work, they can increase the perceived importance of the training.

Testing should be relevant and doesn’t need to be a multiple-choice exam. It could be a simulation like the ones highlighted in the ATD article. Testing doesn’t need to occur at the end of the training, but short or lower-stakes learning assessments can be included throughout it. When implementing any training, the best practice is to have senior leaders emphasize its importance. In situations where employees aren’t paying attention to the training at all, asking them to pass a more difficult test to complete the training and receive the completion certificate shows how serious the topic is. If senior leaders communicate the seriousness of cybersecurity, its importance to the business, and its relevance to employees’ work, they can increase the perceived importance of the training.

Content

Many learners and talent development managers fear testing because they worry that trainees will look foolish or show a lack of performance ability. When designing your training and testing, be sure to include lower- and higher-stakes testing in your program. Low-stakes testing can help to build employees’ confidence in their ability to complete a later test. Increasing difficulty and finding the right level for employees to complete their testing are important. Rather than looking at employees completing one test at the end of their training. Yang, Pazo, & Persky (2019) found that repeated testing could lead to better learning outcomes and improved performance. Learning through testing is known as the testing effect. The testing effect is defined as learners recalling information better after they have been tested for it (Eisenkraemer, Jaeger, & Stein, 2013 ). Very few talent development professionals leverage this effect, but it may be an effective solution for cybersecurity training.

Many learners and talent development managers fear testing because they worry that trainees will look foolish or show a lack of performance ability. When designing your training and testing, be sure to include lower- and higher-stakes testing in your program. Low-stakes testing can help to build employees’ confidence in their ability to complete a later test. Increasing difficulty and finding the right level for employees to complete their testing are important. Rather than looking at employees completing one test at the end of their training. Yang, Pazo, & Persky (2019) found that repeated testing could lead to better learning outcomes and improved performance. Learning through testing is known as the testing effect. The testing effect is defined as learners recalling information better after they have been tested for it (Eisenkraemer, Jaeger, & Stein, 2013). Very few talent development professionals leverage this effect, but it may be an effective solution for cybersecurity training.

Overcoming Resistance to Testing

Content

Despite scientific evidence showing that testing aids learning, there is still significant resistance to its use. Testing has to change to meet the needs of talent development, so finding an effective testing and assessment partner is key to developing an effective assessment ( Frank and Jaffee, 1995 ). The right testing partner will help you:

Despite scientific evidence showing that testing aids learning, there is still significant resistance to its use. Testing has to change to meet the needs of talent development, so finding an effective testing and assessment partner is key to developing an effective assessment (Frank and Jaffee, 1995). The right testing partner will help you:

• Content

  Develop a testing process rather than a single assessment.

  Develop a testing process rather than a single assessment.

• Content

  Co-create the learning material so it matches what they learn in the course.

  Co-create the learning material so it matches what they learn in the course.

• Content

  Design tests and assessments for a wide range of difficulty levels.

  Design tests and assessments for a wide range of difficulty levels.

• Content

  Provide you with an item analysis, validity, and reliability report.

  Provide you with an item analysis, validity, and reliability report.

• Content

  Provide test maintenance over time.

  Provide test maintenance over time.

Content

In addition to overcoming testing challenges, talent development professionals must clearly communicate expectations to senior leadership and frontline employees about the importance of the training and their ability to perform on an assessment. You’ll note that the examples I shared earlier of successful testing all occurred in medical settings with nurses, doctors, and other healthcare workers. In healthcare, errors cannot be tolerated, so testing and training are developed to improve performance. White-collar jobs could benefit from this kind of cybersecurity focus since security failures will cost organizations more than $10 trillion .

In addition to overcoming testing challenges, talent development professionals must clearly communicate expectations to senior leadership and frontline employees about the importance of the training and their ability to perform on an assessment. You’ll note that the examples I shared earlier of successful testing all occurred in medical settings with nurses, doctors, and other healthcare workers. In healthcare, errors cannot be tolerated, so testing and training are developed to improve performance. White-collar jobs could benefit from this kind of cybersecurity focus since security failures will cost organizations more than $10 trillion.

Content

If your organization hopes to succeed in combating cybersecurity failures, consider testing. It will require more planning and more persuasion to get done, but the benefits will outweigh the costs.

If your organization hopes to succeed in combating cybersecurity failures, consider testing. It will require more planning and more persuasion to get done, but the benefits will outweigh the costs.