logo image

ATD Blog

Instill a Cyber Security Culture, Don’t Deliver Tepid Training


Wed Mar 20 2019

Instill a Cyber Security Culture, Don’t Deliver Tepid Training

Eight in 10 cyber incidents are caused by human errors. Clearly, better training is needed. But many companies delving into cyber security training for the first time simply focus on raising their employees’ security awareness. That approach is unquestionably strong, but not everyone understands the term security awareness the same way.

In my experience at Kapersky Labs, I’ve learned that cyber security training works best when it matches three key criteria:

  • It is not pure theory; it teaches knowledge and practices that are relevant to employee job functions.

  • It uses real-life, illustrative examples.

  • It gives advice that learners can apply on the job.

Let’s take a closer look at each element.


That last point may sound obvious, but as L&D professionals know, it is often the most important—and most complicated.

Case in point: consider the typical advice on making passwords more secure. Common guidelines advice users to make every password unique, at least 18 characters long, and containing random symbols. In addition, users should change passwords at specific intervals, and never write down their passwords on paper.

In theory, that is solid advice. But is it applicable? Not really. Will everyone follow it? Not a chance. In fact, most employees will continue using “Passworddd123.” What’s more, many will post the password on a sticky note that they “hide” under their keyboard.

A better approach is to password training is to advise employees to create several complex “roots” that have meaning only to them and are not part of everyday speech (for example, “meow!72!meow”). To update the password, they should add a keyword to the root (for example, “oxygen-meow!72!meow”). For a reminder, users can write “aqualung-cat” on a sticky note (in other words, something that they associate with the keyword and the root but not the actual letters or words). Granted, from a strict cyber security perspective, that advice is still far from ideal. Any security expert would yell, “What are you doing? How can you advise people to write down part of their password?” However, the guidance is highly practical advice that real people can actually apply and follow in their daily lives.



Typically, cyber security training gets added to the agenda when a C-level leader decides it’s important to “raise security awareness”—in most cases, after some sort of negative security incident. Someone is put in charge and is expected to drop everything to develop and roll out a new program. Sound familiar?

Unfortunately, the result is that a long lecture on cyber is presented to staff. Perhaps, it’s a series of lectures rolled out during the ever-popular “Cyber Security Week.” In the end, employees will have completed training that someone can check off their to-do list, but will there be a real change in behavior? Sure, some employees will feel shaken, and for a week or two, they will examine each incoming email to guard against phishing attempts. But what will they remember in a month?

No doubt, training’s compatibility with everyday work tasks is a sensitive issue. That is why I avoid simply overloading people with information. Instead, I like to present a couple of small activities—lessons, tests, and simulations—per week that give employees a digestible amount of information they can integrate with daily work. This approach is all about building a foundation for a cyber security culture.

Relevance and Visualization

We work with people, not with faceless accounts. If learning isn’t interesting and relevant, it will be forgotten quickly. It’s important to target your training for a specific group to add relevancy. After all, why would we train someone who has no access to banking systems on resisting financial cyber threats? Accountants, on the other hand, need a deeper understanding of those threats specifically. To address this issue, one approach is to use a system of levels. Each level is then recommended for a group of employees with a common area of responsibility.

To make cyber training more interesting, try deploying interactive simulations. They go beyond giving simple information about threats and allow learners to apply practical expertise. They also may be the best way to get participation from managers, who may have extensive access but rarely agree to attend common training sessions.


These are just a few strategies for developing cyber security training that learners not only need but want. For more insights, join me March 26 for the webcast, Don’t Get Hacked! Develop Better Cyber Security Training. You will learn how to fight people’s misconceptions about cyber security and how to roll out training that engages learners and ensures knowledge transfer.

You've Reached ATD Member-only Content

Become an ATD member to continue

Already a member?Sign In


Copyright © 2024 ATD

ASTD changed its name to ATD to meet the growing needs of a dynamic, global profession.

Terms of UsePrivacy NoticeCookie Policy