There are (at least) Three Ways You Should be doing SAT Campaigns Differently (Part 2)

In this two-part article, we’re looking at three key insights which can help any organisation run more effective SAT campaigns. We’re also looking at evidence for their effectiveness, drawn from our platform data, the science of learning, and academic studies of cybersecurity training.

If you haven’t read Part 1, which discusses our first insight—the concept of “spaced learning” and its relevance to SAT—I recommend starting there.

In Part 2, we’re going to look at two more key insights: the effectiveness of targeted training, and the value of strategic messaging from across the organisation.

The traditional SAT campaign is “one-size-fits-all.” The same content, in the same format, for all learners. Often this approach is enforced by legacy LMS systems that make it inefficient to create multiple overlapping campaigns, or difficult to track the results.

This issue can be overcome with the right training tools, but this may require investment, so it’s important to establish first that it’s likely to generate a return in better training outcomes.

With the data drawn from our platform, this isn’t difficult to do.

Our platform uses AI technology to analyse learners’ feedback on training. We’ve consistently found that the most common concern raised by learners is that the cybersecurity training they’ve received isn’t relevant to them.

This arises from a number of factors: the training might cover content which the learner already knows, or which doesn’t apply in her country or region, or which only applies to systems and devices she doesn’t use. But at most organisations, the disconnect relates to different working roles. A one-size-fits-all campaign has to include training on, for example, payment fraud, which means even employees who never process or authorise payments have to be trained on it.

The average employee is unlikely to be aware of the challenges of rolling out SAT across the whole organisation. From their perspective, the security team is simply happy to waste employees’ time. It’s not good for security culture.

The OutThink platform allows security awareness teams a wide latitude of customisation and targeting—including targeting training by job role—much of which can be automated.

But if you don’t have OutThink in your training tech stack, even small customisation efforts yield engagement dividends.

Our platform allows admins to edit the language of our training content, and our data shows a clear positive correlation between the number of these customisations made in a given training campaign and the learner sentiment during that campaign.

In other words, simply tweaking the language of generic training content so that it reflects your organisation makes people feel more engaged. It might be as simple as replacing “the company” with “the bank” (if you’re a bank!) or including your organisation’s specific departmental names and titles.

One of the most well-established principles in learning science is the concept of “cognitive load.” In simple terms: learning something new places strain on your working memory. This means that any unnecessary stimulus while you’re learning reduces your capacity to learn.

This is intuitive to most of us: it’s one thing to read the news while someone is talking loudly in the next room; it’s another thing to try and practice a new language under those conditions.

But learning science shows that this principle applies even at quite subtle levels, subtler than we may be consciously aware of. What this means is that irrelevant information in a training campaign isn’t just wasting the learner’s time– it’s also making it harder for her to retain the information that is relevant!

One of the biggest challenges for an enterprise cybersecurity awareness team is driving training completion rates. We’ve dedicated quite a bit of time to developing interventions which can help, and building them into the product.

But the core insight can be implemented without any additional tech. In short: what drives completion rates is not messaging from the security team. It’s messaging from across the business.

Line manager nudges increase completion rates by as much as 15%

Our platform identifies line managers and encourages them to nudge non-completers near the training deadline.

The data shows that this feature is incredibly effective, improving completion rates by as much as 15% with a single intervention.

Messaging from colleagues is nearly as effective

What’s perhaps more surprising is that it’s not just hearing from their line managers which encourages people to complete their training. Research by the CEB (now part of Gartner) found that even messaging from colleagues improved training outcomes by up to 9%.

How to Implement Strategic Messaging

If you don’t have the technology to automate this kind of messaging, implementing this approach is tricky but not impossible. It requires a lot of buy-in from stakeholders, and coordination across teams.

The good news is that even small interventions will have an impact. Encouraging people to share their training experience through internal communications channels is a good place to start. If you have completion data by department, you could encourage departmental heads to drive this kind of messaging by letting them know where they sit in the completion league-table.

Our data suggests that no other intervention can do more to improve your completion rates.

As we’ve seen in this two-part article, there is nothing short of a gulf between the way SAT is currently conducted at most enterprise orgs and the evidence-backed optimal training procedure.

Besides the three key insights we’ve looked at, there are a wealth of smaller ones which can improve training outcomes still further. Sadly, few organisations have implemented even the three key strategies we’ve outlined.

As cybersecurity becomes an ever-more-urgent organisational concern, we expect to see more organisations turning to evidence-based training approaches. Given the organisational challenges involved, the best time to start is now.