Welcome to Fantasyland where the budget is limitless and the users pay attention to everything you say!
In Fantasyland you have amazing annual training that lays a solid foundation of information for your users. You have created testing that accurately and effectively measures user understanding of the training without being too hard or too easy. You have created additional content (e.g., posters, viral videos, newsletters, lunch and learns) that calls back to the concepts taught in training and changes user behavior. You have done it all.
So how do you implement this amazing content?
All-at-Once?
Imagine that every year your user comes to a room that is plastered with your amazing posters. They sit down at a computer and watch training videos on topics like ‘secure cloud computing.’ This is followed by a quiz, followed again by a wonderfully crafted newsletter you created on how to ensure that all data in the cloud is safe. It all ends with showing them a funny viral video involving cats, Megan Fox, or David Hasselhoff. Since we know they fully attended to all that information –remember this is Fantasyland- how long do you think their behavior will be affected by the training?
1 week? 1 month? 1 year?
Considering that most annual awareness training programs contain at least 20 topics -all needing a video, quiz, poster, and additional content- I’d give it 2 weeks. Maybe 6 weeks for the topics that really resonated with them (e.g., Protecting your family on Facebook). That’s right, not even 2 months after presenting all this content most of it will be gone until next year pointing out an important part of any security awareness architecture.
Immediate v. Delayed Stimulation
In the previous example, all of the content was set up as immediate stimulation. The user was presented with all information at once and did not see it again until a year later. While this does get all of the information across, it does NOT produce consistent behavior change across the entire year. To do this you have to use a mixture of immediate and delayed stimulation. By combining the two techniques you are able to lay a solid foundation of awareness that is consistently recalled by the user throughout the year. If done correctly, you can even manipulate what is recalled based on what is presenting the most vulnerability within your organization at the time.
When to Implement Different Types of Content
Annual Training- This type of content can include everything from basic videos on passwords that everyone has to watch, to more specific role-based training that targets the information to fit the tasks of the user (e.g., Data classification for all users with a clearance). Annual training is where the foundation of information is established and is essentially ‘ground zero.’ Considering the density of the information, as well as the time required by the user, annual training should only occur once a year. Some companies choose to spread it over the year, and that is fine. The main point is that there is little to no value of using annual training in a delayed stimulation capacity.
Content Testing- After seeing a video the user has this large body of information and it needs to be stored (see previous blogs on the process of memory storage). One way to facilitate retention is through immediate testing. This requires the user to recall the information that they just learned through the training video, use it to answer questions, and re-store it thereby strengthening the memory. Without this, the message is not strengthened and the literacy foundation is much weaker. Because of it’s placement immediately after the video, content testing is most effective as immediate stimulation.
Posters and Additional Content- Something probably painfully obvious as wrong in the previous example was the fact that the only exposure the user was getting to the posters and newsletters was immediate and in conjunction with training. I have never seen a client use posters and other additional content in an immediate stimulation fashion because it does no good. Each are intended to call the user back to the information in training, facilitate recollection, and encourage more secure behavior across the entire year. Showing everything all at once is like placing all your cards on the table. You have nothing left.
While timing of your content requires more finesse and thought, classifying each part as either an immediate or delayed stimulation tool is vital in figuring out exactly where everything goes.
Dr. David Matsumoto, Humintell’s director and professor/director of the Emotion and Culture Research Lab at San Francisco State University was interviewed by The Defense Insider to comment on cross-cultural gestures. This podcast examines inter-group aggression and violence as it pertains to studies of emotions and culture.