There are (at least) Three Ways You Should be doing SAT Campaigns Differently (Part 1)

The vast majority of enterprise organisations are still running their cybersecurity awareness campaigns according to a traditional format which—as most of us recognise—doesn’t work especially well.

The chances are your organisation runs either a single annual campaign, or biannual campaigns. Each campaign is stacked with content: it needs to be in order to cover all the relevant info. It probably clocks in at over 30 minutes, maybe a long way over. And every year, a lot of people fail to complete their training by the deadline, despite the usual reminders from the Info Sec team.

This traditional format is inherited from compliance training, and it’s sometimes kept in place by a broader organisational training policy, or by an out-of-date and creaky LMS. But these obstacles are generally surmountable with the right tech stack and stakeholder buy-in.

The question is: what should a forward-thinking organisation be doing instead?

In fact, there are a range of well-evidenced alternatives. At OutThink, we’ve helped many of our clients transition to better SAT campaign formats. In this two-part article, I want to share three of the most important changes we recommend that any organisation implement. I’ll briefly set out what they are, and then in the rest of Part 1 I’ll dive into the detail of the first insight, together with the evidence for its effectiveness.

1. Training “a little and often” is more effective than an annual or biannual campaign
2. Training targeted to specific learner profiles is more effective than “one size fits all” campaigns
3. Strategic messaging from across the business drives engagement and completion rates more effectively than any other intervention

Let’s take a closer look at the first insight.

Data collected by the OutThink platform shows a direct negative correlation between campaign length and learner knowledge scores. In other words: the longer a training campaign is, the less people learn.

Maybe this seems surprising, but it’s very much in line with the findings of learning science. The science of how people learn is fairly mature, and some of its core insights are well-evidenced.

One of these is that “spaced” learning is robustly superior to “massed” learning. There are different ways of defining these terms, depending on the type of learning under consideration, but broadly speaking “spaced” learning means learning a little and often, revisiting what you’ve learned at a regular cadence as you go. “Massed” learning means cramming everything in one go, and revisiting topics only once you’ve covered them all.

Regardless of the variations of “spaced” and “massed” learning being researched, studies consistently find that spaced learning improves outcomes by around 10% on average compared to massed learning (and it can be much higher).

Clearly the single annual cybersecurity campaign is a paradigmatic example of massed learning. So what would spaced learning look like in an SAT campaign?

We’ve found that quarterly or even monthly campaigns are effective. Naturally each campaign needs to be much shorter: less than 15 minutes for quarterly campaigns, or 5 minutes for monthly campaigns. We also recommend occasionally following up on the topics covered in previous campaigns’ training with microlearning content.

Many organisations will encounter cultural roadblocks to fully implementing this approach. Significant stakeholder buy-in may be necessary to change training policy or culture, and some stakeholders may feel that monthly or even quarterly campaigns are “too much,” even if time in training remains the same.

Fortunately, even when the cadence for security training can’t be drastically altered, there are ways to implement a more spaced-learning approach alongside traditional annual campaigns. The OutThink platform, for example, allows you to embed training in phishing drills, push microtraining via Microsoft Teams and Slack, or target specific high-risk groups with more frequent campaigns.

Other ways to “drip-feed” awareness training to learners include internal communications channels, organisational social media, and regular real-world poster, flyer or sticker campaigns.

As well as improving learning outcomes, more frequent training campaigns are a powerful tool for improving your organisation’s security culture. They weave cybersecurity into the fabric of people’s day-to-day, rather than leaving it as something they only have to bother about once a year.

Shorter campaigns can also improve learners’ feeling about cybersecurity. We use AI to conduct sentiment analysis on learner feedback, which reveals that the second most frequent learner complaint about SAT campaigns is that training is too long (we’ll come to the most frequent complaint in Part 2!)

More positive learner sentiment leads to better engagement in cybersecurity training and practice, so shorter training campaigns have significant benefits beyond the robust improvements in learning outcomes.

If a spaced learning approach to SAT isn’tfeasible at your organisation, never fear! We have two more key insights you can implement to improve the format of cybersecurity awareness training campaigns. Although all three insights work best in combination with one another, each is measurably effective when implemented by itself.

We’ll look at the next two insights in Part 2, together with more evidence for their effectiveness drawn from our platform data and the work of learning scientists.