By Graeme Zwart, Head of Security
A psychology paper on the science of bicycles provides some useful lessons to those devising information security training programmes.
Back in 2006 psychologist Rebecca Lawson published a paper on ‘cycology’.1 She asked a simple question: could people draw the basics of a bicycle?
Around 40% could not. They made frequent and serious mistakes, such as believing that the chain went around the front and back wheels. Or drew the frame joining both wheels, making steering impossible.
Errors were reduced but not eliminated for bicycle experts. And for people who were shown a real bicycle as they were tested. Yet the results demonstrate that most people’s understanding of this familiar, everyday object is sketchy and shallow.
What’s the connection with information security training?
People generally overrate their understanding and competence. In Lawson’s test, when asked to rate their knowledge of how bicycles work, participants over-scored themselves. The same applies to information security and almost every aspect of life. Most of us think we’re better drivers than we are.
So, don’t assume that because you included security training at induction. Or because you tested staff companywide six months ago that they will retain the content. Information security training is easier to remember if it’s relevant, short, sharp and fun.
Make training relevant
Some of the ‘cycology’ post-test comments contain some useful insights on how we learn. “I think context matters, I know a bike when I see it but it’s different to recall when sat in a room,” said one participant. “I thought I knew more about the workings than I actually did,” said another. “I never knew how little I knew about things until I had to draw them,” said a third.
Make training role-relevant to help the content stick. If you’re training store staff, relate the content to their day-to-day duties. Similarly, if you’re training warehouse or head office staff, tailor the content.
If you make training meaningful to staff in their personal lives as well as at work, it’ll be more memorable. After all, almost all employees have a mobile phone and/or some other means of getting online. Encourage staff to share the tips with family and friends outside work as this tests their own understanding and reinforces the learnings.
Consider delivery channel
Consider the logistics and cost of training a disparate workforce. Classroom-based training has to be scheduled and takes staff away from their day jobs. Whereas video and online training content can be delivered on demand regardless of shift patterns or location.
Your internal communications department may have some ideas about additional delivery channels to reinforce security messages. For example, posters in staff break areas, quizzes on the internal website and key talking points for manager meetings.
For a consultation on your secure payments requirements, e-mail firstname.lastname@example.org or complete your details on the contact form below.
1 'The science of cycology: Failures to understand how everyday objects work’, Rebecca Lawson, University of Liverpool, https://www.liverpool.ac.uk/%7Erlawson/PDF_Files/L-M&C-2006.pdf