Cybersecurity training has been a recurring theme on this blog recently. Specifically, we’re seeing that traditional approaches aren’t necessarily effective when training a broad audience. Many factors can affect people’s ability to understand lessons and put them into practice. That can include different learning styles, neurodiversity traits, comfort with – or fear of – technology, as well as ways of working and organisational structures.

In May, Bozena Jaslan blogged about how some neurodiverse people who have difficulty with impulse control can find it hard to avoid falling for scams. Soon after, we covered the BH Consulting customer day featuring a talk by Dr Hazel Murray of Munster Technological University. Her work in developing security training material for vulnerable groups uncovered some surprising findings.

It’s a fascinating subject with valuable lessons for cybersecurity professionals who either develop or deliver training programmes in their organisations. So, we spoke with Dr Murray to dig deeper into her work leading a multidisciplinary team aiming to solve the challenge of making sure that people who are already vulnerable aren’t more at risk when they go online.

The Research Ireland funded project is called Cyber Safety for All. Through one-to-one interviews, focus group discussions, and workshops, it aims to develop positive cybersecurity training that teaches people how to recognise and avoid scams, stay private online, and manage their passwords.

More tailoring, less off the peg

The first phase of the project started with older adults, and the group’s work is now continuing into different groups including recent migrants and refugees, domestic abuse victims who may need to protect their privacy, people who are vision impaired, and people with intellectual disabilities.

“The development process needs to be repeated because the needs of individuals with intellectual disabilities are different to the needs of older adults,” Dr Murray explains. “We want to go back and ask: ‘what are your needs?’ ‘What do you have concerns about?’ What aspects of technology are you comfortable with?’ And through that, we will figure out what our next direction is.”

There are several lessons all wrapped together in this observation. The first is: cybersecurity training is highly context-dependent. No two organisations are the same, and groups of people will also differ in how they need to act on the advice they get.

Ask the audience

The next lesson is to involve the audience in creating the training as it increases the chances they will absorb the lessons. “In a traditional education setting, involving students in decision making benefits their learning. People are more invested in a change if they’ve helped to shape it. So logically, co-creation is just one step further than that,” Dr Murray says.

Co-creation involves meeting the intended group, discussing their challenges, and asking for their insight into what solutions are practical and relevant to their roles. This is proven to work in industries like car manufacturing. The Toyota Way, the culture that led to lean management, starts from the idea that the people working at the coalface – for example, on a production line – are best placed to identify problems with a process and understand how to improve it.

Top-down training, developed by people with no connection to the work, won’t feel relevant to the intended audience, Dr Murray argues. “You might be the cybersecurity expert, but you’re not the expert on their working day, or their business. The security advice needs to be meaningful: seen from their perspective, informed by their experience, and meeting their needs,” she points out.

Language matters

Too often, cybersecurity messages are prescriptive and use negative language, like ‘don’t do this’ or ‘don’t click that’. Dr Murray believes that good security training needs to move away from this approach. “We work a lot with small businesses and one problem with cybersecurity is how overwhelming it feels. We need to remind people that there are very achievable things they can do to improve security. A simple act like backing up data every month is going to make a small business so much more secure,” she says.

That kind of message won’t necessarily apply to an organisation that deals with a lot of data and will need to back it up much more frequently. But that just proves Dr Murray’s point that security training needs to match the needs of the business.

“My research came from looking at different businesses and seeing that one company will need different cyber security policies to another. Even if they’re in the same sector, they might have different priorities or different user setups,” she says.

Different roles, different rules

As well as tailoring cybersecurity training by company, that could also mean giving different messages to different groups, varying by someone’s role or seniority. “We know that if you’re giving advice to an older person living at home, you can say: ‘write down your passwords in a little book and keep them in a drawer’. But if you’re advising a CEO, you’re not going to say, ‘write down your passwords in a little book and put them in the drawer’,” Dr Murray says.

Her research also found that cybersecurity training and company policies need to be consistent. “So much training is out of the box, and the content might not align to your cybersecurity policy,” says Dr Murray. For example, if the company policy says passwords should have a minimum of 10 characters, but the training suggests using pass phrases, people will be confused and they’ll lose faith in the training.

“A bad security policy doesn’t just impact security, it impacts staff morale, workflow, efficiency and effectiveness,” she argues

How to design effective security awareness

So, how should a small or medium sized organisation go about designing a useful security awareness programme? Dr Murray says it’s essential to get all the stakeholders involved in the process – from senior roles through to HR and admin staff. “You’re looking to get a snapshot of the organisation’s workflows and processes. That will tell you what cybersecurity is needed, and also where your cybersecurity needs to take the workflow into account.”

A classic example of where cybersecurity and workflow clash is the advice not to click on links in emails. “If a HR person is being forwarded CVs, or, if someone works in sales or purchasing, what can they to do if they can’t click on a link in an email? It’s completely unreasonable to have the rule ‘don’t click on links’, so therefore don’t make it a rule,” Dr Murray says.

She recommends that the initial interviews should be on a one-to-one basis, so people’s answers are more honest. A junior staff member won’t necessarily admit to poor security behaviour if the head of HR is within earshot. The aim should be to get past the disconnect between people clicking on links and the people who are setting the rules.

Dr Murray believes it’s unfair to ask people who aren’t cybersecurity experts to make decisions that require expert knowledge. Instead, she recommends technical controls to counteract the risk and stop people from falling victim to phishing or scams, like sandboxing accounts from the rest of the system.

Promoting good cybersecurity behaviour

She also believes that cybersecurity training is more effective when it doesn’t look to shame people for behaviour that could lead to potential security risks. Some organisations use phishing tests to check if people have learned the lessons from a training programme or awareness campaign. But Dr Murray says the choice of language can make all the difference. Phrases like ‘you fell for the scam’ are unhelpful because they blame the individual.

“Instead of ‘catching out’ 20 per cent of your team who get it wrong, reward the 80 per cent who get it right. Point out to the people who made a mistake, but don’t punish them. We’ll be a lot closer to approaching cybersecurity more positively if we stop this victim blaming mentality,” she says.

Tailoring cybersecurity training clearly involves more effort than running an off-the-shelf training programme, but Dr Murray’s research shows it’s worth doing. When people understand why they’re taking action, and they’ve contributed to developing the rules they need to follow, they feel empowered, and it improves their understanding of cybersecurity. That leads to better learning outcomes. In turn, that leads to more effective protection for themselves and the organisations they work for.