Best Security Awareness Training for Employees: E-Learning Guide
- Palo Stacho, Co-Founder of Lucy Security, acquired by ThriveDX's Enterprise Division
Every business is one click away from financial ruin. Cyber security training for employees is mandatory. Whether your intellectual property ends up posted online, paying hundreds of thousands of dollars to fake vendors, or forking over millions in ransom payments, one wrong move is costly. One way or another more than 90% of today’s threats involve (usually unwitting) employees.
So what gets through to them? What are the best security awareness training formats for employees in 2022? Let’s take a look at different types, and what is resonating with employees today.
Why Train Employees on Cyber Security?
One of the most significant and costly dangers for companies is when sensitive customer records or company data are compromised or stolen via a ransomware attack or related data breach. A secure technical infrastructure is often not enough here, because 97% of all attacks target actual employees via social engineering or another “human factor” vulnerability. 91% of these attacks still arrive via email.
To eliminate this security gap, security awareness training for employees must be mandatory. For example, employees should easily discern phishing emails from regular emails.
So how can employees effectively train to recognize cyber-attacks in time and protect the company?
Since all of these dangers lurk on the Internet, the only way to address them is through targeted cyber training in the form of e-learning formats. We will examine which training formats are most effective in the context of cyber training and have the greatest learning effect.
Cyber Security Training for Employees: What works?
The digital age has transformed learning. Why bother poring over books when you can visualize the answer in an entertaining and memorable way? After all, nobody reads directions anymore – they watch YouTube videos.
Digital learning formats range from videos to games. The content of these formats can often be customized to individual users.
Increasingly people use digital media to teach schoolchildren and students as part of digital learning offerings from educational institutions, private individuals, for example for professional development, or companies that train their employees digitally.
Here is an overview of the most popular learning formats and their application in the field of cyber training:
Best Security Awareness Training for Employees: E-Learning
It is often easier to present complex contexts using images and visual effects vs. simply reading. Learning videos often include audio tracks to provide an additional linguistic explanation of the lesson.
Bottom line: Learning videos are in demand like never before and are a standard format in e-learning.
Security awareness training often employs learning videos because people are visual creatures. Making cyberthreats “real” by presenting them visually helps people identify (for instance) what a phishing email actually looks like and how to recognize malicious links.
So, what makes a great training video?
- Shorter is better. In general, the best security awareness training for employees is short and digestible. In general, three minutes is good. If you need more time, make sure it’s produced in an entertaining way.
- Production matters
E-Learning videos should be engaging and produced in a style that fits the content. The key here is to strike a balance between entertainment and knowledge transfer: Complex topics, for example, require a simpler style, while lengthy topics and, as mentioned above, longer videos should be entertaining as possible to keep viewers’ attention.
The following is an overview of the most popular video styles for training employees on cyber security:
Digital Animation
Digital Animation is ubiquitous in our media universe, and cyber training is no exception: Animations are suitable for young to old and covers simple to complicated content. Moreover, video elements easily translate and customize between regions, cultures, and language barriers. Animation is popular because it breaks down complex topics into easily understood content in an entertaining way.
There are almost no limits to the imagination. Animated videos can be more or less entertaining depending on the requirements of the training content. For example, complex content might present in black and white to reduce distraction, while more colors better convey dry content. When deciding the best cyber security training for employees, know your audience. How much time do they have? What’s their attention span? Here is an example of a cyber training video from ThriveDX’s new security awareness series in cartoon animation style.
Comics
The comic style is currently quite popular and conveys training content in a particularly entertaining way. However, this can sometimes look amateurish or unprofessional. Well-known comic styles include anime and manga.
Live-Action
This format uses real actors, allowing the participants to easily immerse themselves into the scenarios. For this reason, we at ThriveDX place great emphasis on providing short live-action videos. For example, filming role plays, interviews, or even “soap opera”-type content teaches users what they need to know. Although this learning format is very realistic, it is comparatively costly to produce and customization nearly impossible. Further, live-action videos often run longer, and this circumstance can exceed the available training budget per employee. Watch a ThriveDX Live-Action Cyber Training Video here.
Interactive Video
Interactive video is a combination of educational videos, games and quizzes. The videos pause at regular intervals, allowing users to answer questions about previously learned content. They can even help decide the course and outcome of a video. This innovative learning format is particularly popular because users are less distracted and feel more involved than with a video or game. The acquired knowledge is assessed at regular intervals and, if answered correctly, the motivation and enjoyment of learning also increases.
This innovative and varied form of digital learning is often called the “future of e-learning” because of its high learning effect. This method is also extremely popular in cyber training, as it allows learned material to be constantly assessed and reevaluated. For example, in cyber training, a video can first explain what the characteristics of a phishing email are and then test for this knowledge in a quiz.
Interactive videos are ThriveDX’s Security Awareness Training’s “specialty,” often used in ThriveDX modules due to the high entertainment factor and learning effect. Here is an example of an interactive ThriveDX Security Awareness Training.
Game-Based Learning
“Gamification” or game-based learning, teaches security through digital games with the aim of educating participants in a fun and entertaining way. The focus here is on the fun and “win” factors. For example, players can reach different levels or track their status on a leaderboard. Instead of feeling forced to be there, a competitive streak awakens in many participants to where they feel like they are playing a game in their free time. Game-based learning is therefore particularly effective and often used.
ThriveDX’s cyber training also employs games: The ThriveDX Phishing Game, for example, emulates “Who Wants to be a Millionaire?” Like the show, jokers and up leveling and increased payouts can be reached. Play the ThriveDX Game.
Quiz
Quizzes are a form of game-based learning which first assesses knowledge of participants in a playful way, usually with multiple-choice options. Often a quiz follows a learning block to assess prior knowledge vs. knowledge after completion of training in order to measure training effectiveness.
The ThriveDX Malware Quiz asks the participants to recognize malicious software. Evaluate yourself with ThriveDX’s Malware Cyber Training Quiz.
Standard or Individual Cyber Training?
We just reviewed the different types of e-learning formats and their applications within security awareness training. In addition to learning formats, other important characteristics factor into successful cyber training. One important factor is the amount of customization available in training content.
When producing e-learning content, distinctions break down between standard production and individual production.
Standard content is mass produced, requiring no need for company or industry-specific adaptations. Prefabricated content is sufficient to meet the training objectives.
Where standard content is not sufficient due to company or industry-specific requirements, customized learning content tailored for specific roles and employees might be in order.
Customized cyber training content therefore makes it possible to train employees in a more targeted manner: For example, if training accounting employees to recognize phishing attacks, tests should mimic payment systems often used by the company in order to make the cyber training as realistic as possible.
Based on our experience, the need for individual adaptation increases significantly from a company size of 50 people. This is because larger companies have specific guidelines and requirements for employees to meet, respective to their roles. You often hear: “The course on ‘secure password use’ largely covers our requirements, but we would like to add our company specifics.”
Monitoring learning outcomes and reporting
What you can’t measure, you can’t manage: that’s why the ability to monitor learning outcomes is another important characteristic in the implementation of e-learning training. On the one hand, this refers to the learning progress, but also to the improvement from the starting point. It is therefore crucial to take a snapshot of participant knowledge levels before training commences to establish a baseline of knowledge. From there, future learning is evaluated by measuring against the baseline and tracking progress by using integrated monitoring systems. Tracking their own learning progression incentivizes training participants to stay on track. Companies can measure the extent to which their investment in training is bearing fruit.
Assessing employee cybersecurity knowledge before training typically happens by launching simulated cyberattacks like phishing or smishing. Over time, progress tracks against the baseline by determining how sensitized employees are to cyberattacks and how able they are to recognize them.
With ThriveDX, it’s easy to measure cyber training learning progress and verify achievement. In other words, we help you scientifically determine the best security awareness training for your particular employees.
Attack statistics and learning progress tracks in real-time, over time. You can also track attack simulation statistics such as the number of emails opened, number of links clicked, and successful attacks.
For more information on ThriveDX’s enterprise security training programs, please visit us at
Palo Stacho has been an entrepreneur, public speaker and thought leader in the IT industry. He holds a Swiss Federal Diploma in Computer Science and a postgraduate degree in Corporate Governance from the HSG. After spending several years working in cybersecurity, Palo joined Lucy Security as a Co-Founder to help build the company in 2015. As a project manager and solution consultant, Palo has experience from dozens of cybersecurity awareness projects, be it at Lufthansa, Bosch, Mobiliar Insurance, OMV, Swisscom and more. In 2022, Lucy Security was acquired by ThriveDX’s Enterprise Division and Palo has remained on as an Advisor to the company.
Protect Your Organization from Phishing
Explore More Resources
- Article, News
- Article, News
- Article, Blog
- Article, Blog
Your Trusted Source for Cyber Education
Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.
