As Demographics Change, Security Training Must AdaptBy Guest Author | Posted 08-19-2015
By Marie White
Chances are you’ be surprised to learn that studies today reveal that the No. 1 leading cause of data security breaches is non-malicious employee error (39%), which typically is the consequence of complacency or misinformation. Clearly, the workforce plays a central role in keeping corporate assets safe. Companies worldwide recognize that security-awareness training must be a part of their overall information security plan.
Educating workers about corporate policies and helping them acquire the skills necessary to proactively protect business data is a critically important step. Recent studies also validate the effectiveness of security awareness programs. In the 2014 US State of Cybercrime Survey by PwC, 42% of respondents said security education and awareness for new employees played a role in deterring potential attacks. The financial value of employee awareness also was compelling. Companies with no security training for new hires reported average annual financial losses of $683,000; companies with training claimed average financial losses of $162,000.
It’s not as simple as distributing handbooks during the new hire process. One size most certainly does not fit all. As workforce demographics change, security training must adapt.
Take for example, digital natives or Millennials and Generation Z. According to the Brookings Institution, the cohort born after 1982 will account for “one-third of the adult population by 2020 and 75 percent of the workforce by 2025.”
It’s easy to overlook digital natives’ need for security-awareness training. After all, many, if not most young adults have always been connected and operated in a shared environment. They are such naturals with technology, and so savvy in many ways. However, they tend to take security for granted and assume they already know enough.
So, what do we need to understand about digital natives?
*They have a view that the world should be open and more centralized than hierarchical
*They are social, and always connected
*They tend to be more skeptical and willing to challenge authority
*When it comes to learning, they often believe they know enough already
*They expect higher educational and training experiences to be dynamic, challenging, flexible, innovative, and interactive (problem-solving)
On the other hand, digital immigrants, born before the digital revolution, grew up without ubiquitous technology, and have adapted to it as adults. Marc Perensky captured this succinctly in Digital Natives vs. Digital Immigrants, “As digital immigrants learn–like all immigrants, some better than others–to adapt to their environment, they always retain, to some degree, their ‘accent,’ that is, their foot in the past.”
So what should we remember about digital immigrants?
*They are less knowledgeable and comfortable with technologies and how to use them
*In general, they tend to obey rules and respect authority
*They view security as a higher priority
*They have more experience with traditional training styles, so their expectations are lower
With a better understanding of these groups, we can see that a primary challenge in security training is to figure out how to effectively reach both digital immigrants and digital natives.
First and foremost, we must recognize the different personalities and needs. As Perensky points out, Millennials grew up on “twitch speed”—think video games, instant messaging and fast-cut editing of movies and music videos. They don’t have the patience for step-by-step, linear teaching styles.
Engaging Security Awareness Training Works for Natives and Immigrants
Fortunately, security awareness training that is carefully designed to be interactive and capture interest has proven to be effective for digital natives and immigrants alike. Real-world situations, powerful stories, problem-solving exercises, and intelligent games delivered via rich media increase the relevance of the material and can have long lasting impact on behavior.
Thanks to the palm-size supercomputers we carry everywhere, we all have information overload these days. It’s important to deliver concise training modules that don’t attempt to cover every threat vector or unsafe practice at once. Frequent training in short intervals keeps security issues top-of-mind and provides fresh instruction on emerging threats. This visible commitment to protecting and strengthening employees, data, IP and infrastructure demonstrates that cyber-security is a companywide, ongoing priority.
Once you have captured employees’ attention with effective security awareness training, the next major challenge is cultivating lasting behavior changes. Because our technology is almost an extension of our bodies, we perform many computing tasks on autopilot.
For example, do you always think about the hygiene of the WiFi source you are connected to when traveling? Do you pause to think about malware or phishing when you’re on-the-go and multitasking?
Digital natives and immigrants will find themselves working through their language differences in many ways as workplace demographics continue to shift and more Millennials, then Generation Z, become managers and executives. If we can succeed in getting employees to train and work together to understand the shared nature of risk and vulnerability, and to form an effective first line of defense against cyber-crime, we will have established vital common ground to cultivate future growth and success.
About the Author
Marie White is the CEO and president of Security Mentor, a pioneer of innovative security awareness training that drives real behavior change by combining engaging, highly interactive training with content-rich lessons that convey critical security information. White has amassed a wide range of experience in security, technology, business, and science in her professional career, with more than 15 years working in information security. White holds a Doctor of Philosophy and Masters in the physical sciences. She also holds certifications as a Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP).