emPower

Poor Delivery – 5 Reasons Why Security Awareness Training Programs Fail – Part 2

You can have the best content in the world – well-written and illustrated, perfectly aimed at your target audience … – and your program will still fail if the delivery is poor. Whether it’s a boring presentation in the classroom, or web-based training that simply doesn’t work on the students’ PCs, focusing on content at the expense of presentation can doom a security awareness training program from the start.

Here are three of the ways that I’ve seen poor delivery kill awareness training programs.

  1. Classroom Training with Poor Presenter(s)
  2. Web-Based Training That’s Too Complex
  3. Too Much Glitter in Web-Based Training

 


1. Classroom Training with Poor Presenter(s)

I think we all remember really good teachers and really bad teachers from our school days. And we also tend to remember what the good teachers taught us. Security awareness training is no different.

If you’re going to do your training in the classroom, you’ve got to be prepared to find good presenters – whether that’s someone already in your organization, or hiring someone from outside.

At the risk of generalizing, your information security and/or IT staff are seldom the right people to be handling this. Not only are they rarely comfortable in presenting to audiences, they tend to allow themselves to be drawn into too much technical detail (see also my recent post – “Don’t Get Bogged Down in How To“).

One final note … hiring an outside presenters such as an information security expert/consultant can have the side benefit that the message may be perceived as more important, and help you to avoid the “Oh no … Steve from IT yet again” factor. This is especially important if you’re presenting to managers and/or executives. And perception, as we all know, is at least half of the battle!


2. Web-Based Training That’s Too Complex

If you decide to use Web-based training rather than classroom sessions, you don’t have the problem of finding teachers with great presentation skills. But you still have to design the content well, and you’ve given yourself another potential problem – you need to be able to get the training materials from your server(s) to the students’ browsers and have it function correctly there.

If your training program requires plugins that aren’t on students’ computers:

  • Many (most?) of your students won’t bother to try to install them.
  • Even if they try, they may not be able to do so because they may not have the appropriate privileges.

In the past, many training programs have used Flash extensively. However, with an increasing number of attacks being aimed at Adobe products (see, for example, my post from December last year on “Security Problems with Acrobat and PDF Files“), I’ve seen more and more organizations deploy desktop images without Flash being installed. And relying on plugins is likely to get worse as we see increasing use of mobile devices since many of them don’t support Flash at all.

Relying on Java can also cause problems. The firewalls deployed by many organizations will block Java applets so you might not be able to use externally-hosted courses.

This is a case where plain vanilla – HTML + JavaScript – is probably best.


3. Too Much Glitter in WBT

Games and interactive activities in training courses can be very useful. They can reinforce the points being made, or break up a course so that students don’t get bored.

But too much focus on glitter (games, animations, videos) rather than content can:

  1. Obscure the basic message that you’re trying to get across, which should be as simple and as clear as possible.
  2. Make it more likely that you’ll have delivery problems e.g. plugins
  3. Make it (much) more expensive to create and maintain

I’ve found that students who play games in online courses often remember the games, but frequently can’t remember the point that the course was trying to make.

If the information you’re presenting is perceived as valuable by students, you don’t need much (if any) glitter. Focus on finding the “value proposition” for students – why should they care about what you’re teaching – and you don’t need games to interest them.

Some quick notes before I finish:

  • Audio and video are NOT interactive unless you count the student clicking on the ‘play’ button. They can be valuable as alternative ways of transferring knowledge – some students will learn more readily from audio or video rather than the written word – but they’re not without their own problems. For more discussion of this, see my post on “Using Audio in Courses” from August last year.
  • Note that I’m not dismissing the value of simulation-based interactive activities in online courses e.g. “click on this image to show how you you would change your privacy settings in your browser”. These actually address a different part of the learning process – “Practice”, where you’re trying to move the students from a state of “Conscious Competence” to “Unconscious Competence”, rather than “Awareness” or “Training”. For more about this, see my recent post on “Awareness, Training and the Four-Stage Learning Model“.
  • Group case-studies in the classroom can be invaluable in breaking up a lecture, involving the students, and also allowing the teacher to wander the classroom addressing specific issues. Sadly (in my experience) it doesn’t work nearly as well in synchronous web-based training classes (e.g. GoToMeeting sessions).

Next time … programs that are too expensive to run on an ongoing basis.

Jessica Holland

Jessica Holland

Like this post? Subscribe to receive updates directly in your inbox.