Making It Stick: How To Get The Most Out Of Cybersecurity Training

Business Security

Security consciousness training doesn’t person to beryllium a snoozefest – games and stories tin thief instill ‘sticky’ habits that will footwear successful erstwhile a threat is near

28 Mar 2025  •  , 5 min. read

Let maine commencement pinch an effort astatine a story:

Sarah’s eyes darted crossed nan email taxable line, which read: “URGENT: Payment Needed – Action Required”. It was 4 p.m. connected a Friday, and nan CEO’s sanction glared from nan sender field. The connection was circumstantial and to nan point:

"Hi Sarah, we request to make this costs earlier adjacent of business today, different we'll incur other ineligible cost. See nan costs info attached. This has to do pinch Project Phoenix and nan merger I said astir successful nan net telephone past week. I'm successful back-to-back meetings pinch ineligible and others, truthful I've nary clip to explicate more. Please grip it ASAP though.

Sarah’s tummy knotted pinch worry and her beat quickened successful panic. For a fleeting moment, she really felt for illustration she’d seen a akin connection before, astir apt successful past year’s cybersecurity consciousness training. But by now that training was a blur of lifeless PowerPoint slides, forgettable screenshots and mind-numbing multiple-choice questions replete pinch obscure position and concepts.

Besides, Project Phoenix was real, arsenic was nan merger. The reside wasn’t excessively chopped from nan terse directives successful caller soul memos. To apical it off, “who americium I to mobility aliases second-guess nan CEO’s instructions, anyway?,” she thought. Under unit and vulnerable to authority cues, Sarah shrugged disconnected her unease, did arsenic she was told, and dutifully wired nan money.

By Monday, reality caught up: immoderate US$200,000 vanished into an offshore relationship controlled by fraudsters. The email? Spoofed and pieced together from accusation vacuumed from property releases and LinkedIn posts. In this time and age, this is by nary intends prohibitively difficult for immoderate scammer worthy their salt. In nan end, quality psychology trumped information policy.

While this cautionary communicative is fictional, it does picture a script that commonly plays retired pinch nan recurring nightmare that is Business Email Compromise (BEC) fraud. These schemes don’t trust connected method wizardry; instead, they prey connected immoderate of what makes america human, yet paying tremendous dividends for scam artists. By nan FBI’s tally, betwixt 2013 and 2023, BEC fraud costs organizations astir nan globe US$55.5 billion.

Let nan fig descend in.

Ripping disconnected nan set aid

The communicative supra exposes a awesome problem: moreover nan astir diligent labor are prone to forgetting what they “learned” successful cybersecurity training. Dry PowerPoints, mandatory quizzes and compliance checklists are often forgettable and tedious. Many specified consciousness programs present only so-so results while failing to reside nan guidelines issue: behavior. Employees strengthen them to get it complete with, retaining small and putting into existent believe moreover less.

This is disconcerting because nan mobility isn’t if labor will look an onslaught – it’s whether they’ll beryllium prepared erstwhile nan unit mounts. And galore intelligibly aren’t, arsenic shown, for example, by Verizon’s latest Data Breach Investigations Report (DBIR), which says that more than two-thirds of information breaches impact quality error. Someone obliged. Someone clicked. Someone made a mistake. Someone for illustration Sarah.

Imagine occurrence drills wherever labor beryllium done a speech connected combustion mentation alternatively of evacuating a building. When a existent emergency strikes, they mightiness pain to death, clutching their certificates of completion. So why would you “train” group to past cyberattacks pinch absurd policies, alternatively than engaging and simulated experience? Why taxable your labor to mundane training that is apt to neglect nan infinitesimal unit hits?

The antidote

No, it's not that our brains are lazy – they’re really beautiful efficient. Every day, each of america processes hundreds of messages, clicking, sharing, and responding pinch minimal friction. Amid nan deluge of information, we've go conditioned to make split-second decisions that often prioritize velocity complete thing else, including security.

But alternatively than sending louder warnings aliases rehashing nan aforesaid aged quizzes, nan solution requires "hacking" brains. To beryllium much exact, it involves utilizing techniques that tin thief rewire decision-making pathways and train america to suspend our habitual reactions – aliases moreover cook caller habits into immoderate of our behaviors. Our brains are prone to discarding barren facts successful bid to conserve energy, but they will happily cling to emotionally-charged, participatory experiences.

This is wherever realistic simulations and well-thought-out gamification tin help, borrowing elements from video games that people prosecute nan brain. In fact, whether it’s your fitness app turning workouts into position games aliases societal media apps feeding our craving for validation pinch endorsements, galore of your mundane apps already impact immoderate of nan principles underpinning gamification. Game mechanics are besides being utilized pinch awesome occurrence successful capture nan emblem competitions that countless IT professionals eagerly subordinate each year.

Wired for stories

One cardinal measurement of upping your organization’s information crippled (no pun intended) involves leveraging nan powerfulness of storytelling. Stories are acold much than a measurement to walk nan clip – they’ve ever helped america make consciousness of nan world and moreover stock endurance strategies. They ray up nan brain’s pleasance and affectional regions, yet changing attitudes and behaviors.

So it only makes consciousness that nan powerfulness of this endurance instrumentality is progressively being harnessed for endurance successful today’s integer jungle, particularly through gamification. When information challenges are woven into a gripping storyline that presents threats arsenic characters, information measures arsenic devices and labor arsenic heroes, representation statement and callback tin summation significantly.

Meanwhile, realistic phishing simulations supply hands-on learning and thief build musculus memory. They don't conscionable thatch – they trial and reenforce nan correct behaviors successful discourse and successful a safe environment. Scenario-based learning and realistic simulations spot labor successful situations that reflector existent threats and respire life into information concepts, helping create affectional representation anchors that persist agelong aft nan training ends. The proliferation of schemes involving deepfakes and different AI-aided ploys only raises nan urgency further – conscionable see this lawsuit from conscionable weeks ago wherever a finance master paid retired US$25 cardinal aft a video telephone pinch deepfake versions of elder unit members.

From checkbox to checkmate

So, ideate that Sarah, faced pinch that urgent email, doesn’t panic; instead, she pauses. She recognizes nan reddish flags, because she has encountered akin scenarios successful her engaging information training. She’s built nan musculus representation to stop, think, and verify earlier taking action. In nan end, alternatively of wiring costs to a cybercriminal, she alerts nan information squad to a blase onslaught attempt, turning a perchance embarrassing mishap (followed by unfavorable media sum of a successful cyber-incident) into a powerful learning infinitesimal for herself and nan remainder of nan company.

The extremity end isn’t only compliance – it’s to make information behaviors instrumentality and, indeed, to make them almost arsenic instinctive arsenic flinching from fire.