There are more bells and whistles in eLearning development tools than ever before. For example, trendy applications that utilize artificial intelligence (AI)-generated videos to warn employees of the dangers of cybersecurity. There are templates on how to design and develop phishing training and recordings of voicemail scams. Unfortunately, none of these applications can singlehandedly win the cybersecurity training war. Because despite the learning technology used to deliver the training, it is the human side of learning that can truly make an impact.
Let’s be honest — much of the information technology (IT) and cybersecurity training available to learners is a variation of policies and warnings, wagging fingers and simple click-throughs of scenarios of what not to do. For the most part, it’s ok, but it’s not great. This is because it doesn’t connect to employees at the human level. Cybersecurity topics such as password security and single sign-on (SSO) are important, however people learn by making connections. They need to understand how the learning connects with them, their work and colleagues.
IT risk and cybersecurity training design can benefit from considering learners’ need to understand their place in the organization and how they impact those around them. This connection is what can get them to care about more than themselves. Having said that, here are three aspects of training design to consider with IT risk and cybersecurity training:
- Present all skills using stories. My local hospital’s IT infrastructure was recently hacked. It resulted in hundreds of workers using paper-based systems for weeks. This is the perfect setting for a story on how to prevent hacks within your network. When you use stories, people put themselves in the story (typically as the protagonist) and then feel connected to what they are learning. You can get people to learn extremely complex skills if they understand the story of why and how their activities fit into that why. Without a story, you are expecting people to make those connections on their own, which is a risky bet considering the topic. By adding basic story elements (characters, setting, conflict), you can create a realistic scenario people can relate to and follow easily. Without creating a real-life setting, the training can risk being generic. Without conflict, there is no driver. And without the character, there is no human connection. Use storytelling elements to drive the learning, and the skills will follow.
- Use multi-stage scenarios that show crossover of IT. Many IT skills start with an individual action but quickly expand to other people and departments up and downstream. A company is a collection of goals, people, departments and many other nuances. The learner needs to understand where they fit but also who else they impact with their choices. When using stories to teach IT skills, take the story beyond just the one character. Demonstrating that a cybersecurity breach affects more than just the worker and requires work from all the people around you can put the larger impact in context. This also can give you the opportunity to expand your story to other characters that can teach additional lessons and skills. It is nice to mix it up and have many characters teaching the learner from different angles; this shows the holistic impact of the skills and the role that the learner plays.
- Think globally, act locally. You will spend most of the training on how to act locally, but it is important to impart to learners that they must think globally (or at least company-wide) when they consider their actions. This aspect of design focuses on raising learner awareness beyond self and getting people to feel a sense of connection to the company and its IT security. Though this is one of the hardest levels of learner investment achievable, if the training engages the learner as a human (Element no.1) and shows them their impact beyond themselves (Element no.2), there is a good chance that they will start to think about their actions in a more global, company-wide way. IT professionals I work with are often frustrated that employees don’t immediately see the overall impact of their cybersecurity mistakes. My question to them is always the same: How have you engaged them in the conversation besides telling them what to do? If you want learners to think globally and act locally, they need to feel part of the system that they are meant to protect. Otherwise, they are just visitors, and their behaviors will vary based on the person.
Successful IT and cybersecurity training teach skills by focusing the learners on the value they provide for the organization and its employees. Folding the learner into the overall IT story can make them feel connected and valuable. Though it isn’t always easy to create engaging stories within technical training settings, the quality of learning will change the game and the reduction in cybersecurity events will justify the effort.