
There are (at least) Three Ways You Should be doing SAT Campaigns Differently (Part 1)
Sep 12

Experience OutThink
The vast majority of enterprise organisations are still running their cybersecurity awareness campaigns according to a traditional format whichâas most of us recogniseâdoesnât work especially well.
The chances are your organisation runs either a single annual campaign, or biannual campaigns. Each campaign is stacked with content: it needs to be in order to cover all the relevant info. It probably clocks in at over 30 minutes, maybe a long way over. And every year, a lot of people fail to complete their training by the deadline, despite the usual reminders from the Info Sec team.
There are Better Ways to Run a SAT Campaign
This traditional format is inherited from compliance training, and itâs sometimes kept in place by a broader organisational training policy, or by an out-of-date and creaky LMS. But these obstacles are generally surmountable with the right tech stack and stakeholder buy-in.
The question is: what should a forward-thinking organisation be doing instead?
In fact, there are a range of well-evidenced alternatives. At OutThink, weâve helped many of our clients transition to better SAT campaign formats. In this two-part article, I want to share three of the most important changes we recommend that any organisation implement. Iâll briefly set out what they are, and then in the rest of Part 1 Iâll dive into the detail of the first insight, together with the evidence for its effectiveness.
Three Key Insights for Better SAT Campaigns
- Training âa little and oftenâ is more effective than an annual or biannual campaign
- Training targeted to specific learner profiles is more effective than âone size fits allâ campaigns
- Strategic messaging from across the business drives engagement and completion rates more effectively than any other intervention
Letâs take a closer look at the first insight.
Training âa little and oftenâ is More Effective than an Annual or Bi-Annual Campaign
Data collected by the OutThink platform shows a direct negative correlation between campaign length and learner knowledge scores. In other words: the longer a training campaign is, the less people learn.
Maybe this seems surprising, but itâs very much in line with the findings of learning science. The science of how people learn is fairly mature, and some of its core insights are well-evidenced.
One of these is that âspacedâ learning is robustly superior to âmassedâ learning. There are different ways of defining these terms, depending on the type of learning under consideration, but broadly speaking âspacedâ learning means learning a little and often, revisiting what youâve learned at a regular cadence as you go. âMassedâ learning means cramming everything in one go, and revisiting topics only once youâve covered them all.
Regardless of the variations of âspacedâ and âmassedâ learning being researched, studies consistently find that spaced learning improves outcomes by around 10% on average compared to massed learning (and it can be much higher).
What does âa little and oftenâ Look like in an SAT Context?
Clearly the single annual cybersecurity campaign is a paradigmatic example of massed learning. So what would spaced learning look like in an SAT campaign?
Weâve found that quarterly or even monthly campaigns are effective. Naturally each campaign needs to be much shorter: less than 15 minutes for quarterly campaigns, or 5 minutes for monthly campaigns. We also recommend occasionally following up on the topics covered in previous campaignsâ training with microlearning content.
How can you Implement Spaced Learning in an Enterprise SAT Context?
Many organisations will encounter cultural roadblocks to fully implementing this approach. Significant stakeholder buy-in may be necessary to change training policy or culture, and some stakeholders may feel that monthly or even quarterly campaigns are âtoo much,â even if time in training remains the same.
Fortunately, even when the cadence for security training canât be drastically altered, there are ways to implement a more spaced-learning approach alongside traditional annual campaigns. The OutThink platform, for example, allows you to embed training in phishing drills, push microtraining via Microsoft Teams and Slack, or target specific high-risk groups with more frequent campaigns.
Other ways to âdrip-feedâ awareness training to learners include internal communications channels, organisational social media, and regular real-world poster, flyer or sticker campaigns.
There are Huge Cultural Advantages to Shorter Campaigns
As well as improving learning outcomes, more frequent training campaigns are a powerful tool for improving your organisationâs security culture. They weave cybersecurity into the fabric of peopleâs day-to-day, rather than leaving it as something they only have to bother about once a year.
Â
Shorter campaigns can also improve learnersâ feeling about cybersecurity. We use AI to conduct sentiment analysis on learner feedback, which reveals that the second most frequent learner complaint about SAT campaigns is that training is too long (weâll come to the most frequent complaint in Part 2!)
More positive learner sentiment leads to better engagement in cybersecurity training and practice, so shorter training campaigns have significant benefits beyond the robust improvements in learning outcomes.
Next Time...
If a spaced learning approach to SAT isnâtfeasible at your organisation, never fear! We have two more key insights you can implement to improve the format of cybersecurity awareness training campaigns. Although all three insights work best in combination with one another, each is measurably effective when implemented by itself.
Weâll look at the next two insights in Part 2, together with more evidence for their effectiveness drawn from our platform data and the work of learning scientists.
