GUEST ESSAY: Cyber hygiene need not be dreary — why engaging training is much more effective

By Lise Lapointe

Instilling a culture of cyber security at your organization requires your people to maintain a high level of knowledge and awareness about cyber security risks—and that takes an effective, impactful, and ongoing security awareness program.

Related: Deploying employees as human sensors

However, a security awareness program is only as good as its content. To ensure that your end users retain core concepts and knowledge, it’s important to contextualize topics and keep your people engaged during the entire training process.

Additionally, to hold their interest, the content must be fun.These results are achieved in a few different ways. Let’s take a closer look.

Make it engaging!

First and foremost, your security awareness program’s content must be engaging. Break up lessons into bite-size morsels, and carefully divide them by topics. Keep the interface simple, and include an interactive component, such as a short quiz, in each lesson.

Also, tailor content to the user’s specific role within the organization. You might show someone in a manager role, for example, content that helps them coach their team members and supervise any existing cyber security awareness processes.

Content quality is also integral to your organization’s cyber security because it’s directly tied to the completion levels of your training. When you provide quality content, your employees understand this is a subject you’re serious about.

They’ll be much more likely to stick with their cyber security habits; when they do, you strengthen your data security.

Customize your content

Along with making sure your content is engaging and of high quality, it’s also helpful to vary the media you use to deliver your content and personalize it to your organization’s needs. Otherwise, it’s likely that your users will never relate to it and take it seriously.


For example, you can use newsletters and desktop images as reference material and reminders of best practices. Deploy them after the learning activities or use them to promote key topics that you did not have the opportunity to cover during your program.

You can also promote your message with short, engaging online learning activities throughout the year, such as microlearning, nano-learning, videos, and gamified Cyber Challenge modules.

Take the time to carefully consider and customize the content you want to include in each program campaign, too. To make your selection, you must consider many variables, including the risks, the behavior you want to change, your participants’ motivation, your organization’s culture, your training budget, and your capacity to implement and distribute the content in various forms.

Course customizations can also include things like your logo, brand colors, links to your organization’s policies, photos, videos, and other visuals relevant to your organization.

When customizing your program content, avoid over customization. In other words, don’t cover too much information in a single course. Your goal should be to turn participants into security advocates, not experts, so tailor your content with that in mind.

Vary your tools

Everyone responds to messaging differently. Fortunately, there are an assortment of awareness tools available; which ones you choose will depend on the context and the target audience.

Online courses, for instance, allow you to reach a broad audience quickly. They offer a way to address specific learning objectives, and they generally have higher retention rates due to the interactivity that comes with online training.

Live presentations, on the other hand, are the ideal format to share valuable security-related information with executives and senior managers, because they are short (15–20 minutes) but long enough to cover the specific awareness concerns of leadership (e.g., threats and relevant news stories).

Live presentations can also be used for general audiences; they allow them to ask questions and hear from their peers.

After launching a campaign, use reinforcement tools to repeat the key messages covered in the awareness training. That will send the message home, ensure participants don’t forget best practices, and keep security top of mind.

Videos, newsletters, desktop images, web banners, games, and posters are just a few ways to increase retention, prioritize information security, and ultimately achieve your campaign objectives.

Instilling a culture of security at your organization is not a “one-and-done” project. It’s an ongoing process whose success depends on how engaging your content is.

But, by making sure you offer high-quality, engaging content in a variety of formats, you will go a long way toward making sure your employees learn, retain, and implement cyber security best practices.

About the essayist: Lise Lapointe has dedicated her career to growing security-aware organizational cultures worldwide. Her company, Terranova Security, spearheaded personalized, people-centric security awareness programs that reform risky human behaviors. A resident of Quebec, Lise has ranked among both IT World Canada’s “Top 20 Women in Cyber Security” and WXN’s “100 Most Powerful Women” entrepreneurs in Canada.

(Editor’s note: This essay was adapted from LaPointe’s book, The Human Fix to Human Risk.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone