In case you missed the last Future of Cyber conference in Manchester, here is a recap, including links to further reading, which I hope you might find useful.
What happens after traditional annual eLearning?
According to Ebbinghaus, within 5 days we only recall about 20% of what we learned. If we are faced with a decision after that, and with the many workplace distractions we face, we aren't "primed"; the information is unlikely to be "available"; under pressure, emotion and context will be king; and we will be in System 1 - automatic pilot.
What about other 'timely' approaches?
Researchers have found that our ego won't let us learn effectively at the point of failure. And phish-test-train can also damage the trust we need.
Reacting to SIEM or other events to target training risks "punishing" staff with education which they will find hard to contextualise after the fact.
What does behavioural science say?
Stern's ABC highlights that context rules over attitudes.
BJ Fogg's B=MAP, that we should prompt, make it easy and motivate behaviours - in that order.
The EAST model that we should make nudges Easy, Attractive, Social and Timely.
How can we support secure decision-making?
So if we want to support people to make secure decisions, we have two options:
- Be the trigger.
Prime people so their automatic reaction is a secure one – drip feed content that is timely, means security is salient/available/front of mind, use social proof. - Interfere in a “bad” trigger
Knock people out of System 1, into System 2 more deliberative thinking.
If you'd like to learn more check out our blogs, and if you'd like to see how Redflags™ applies these theories then find out on our product page.