By Laura Bishop, Director of Human Risk Science at OutThink
Many organisations now provide their employees with some form of cybersecurity awareness training, but upskilling means so much more than simply instructing. Looking at what is meant by a ‘skill’ allows for recommendations on how companies can effectively upskill their employees and measure success.
A skill is a combination of having the required knowledge, experience, and eventual ability to conduct a behaviour. Acquiring a skill requires more than just knowledge. It is a process of experiencing specific knowledge continuously until it becomes habitual. For employees to learn the skills required to protect your organisation from a cyber-attack, they need to move through the following 3 learning stages:
- Be provided with instructions on how to carry out the task.
- Have the ability to practice the task enough times to be able to master it.
- Continue to conduct the task until it becomes automated and converts into a habit.
In cybersecurity, there are several skills that employees need to learn, from the ability to detect phishing emails to the capacity to set secure passwords to avoid exploitation. Cybersecurity behaviours also vary in their degree of difficulty, however even the simplest of tasks require habit formation to ensure they continue to be completed when under the cognitive strains of the working day.
How do you more effectively upskill employees?
If employees get trained on an element of cybersecurity that they are unlikely to regularly experience, simulated practice will be required, or the skill will never be acquisitioned. Through this practice, current cognitive strategies are restructured to include the new skill often in the face of cognitive biases and decision-making errors.
The amalgamation of several theories in relation to learning suggest employees should experience the following 7 steps:
- Instructions on how to conduct the skill. This can be accomplished through conventional awareness training.
- Regular opportunities to practice the skill. This can be achieved through games that mimic the behaviour, evidencing that the skill can be demonstrated.
- Feedback on how the skill is being conducted and can be improved. Employees should receive communication, a report or an awareness dashboard to inform them of progress.
- The ability to make their own judgements on this feedback. A facility should be available for employees to communicate challenges experienced whilst trying to acquire the skill.
- Experimentation of the skill in new contexts. Employees can conduct the games previously mentioned under time pressure or when multi-tasking to adapt to the context in which the skill may occur.
- Continue with the above until the task becomes automatic. Measured through in-the-wild or true-to-life simulations that indicate whether the skill is habitually utilised in a more automatic and realistic scenario.
To become skilled in a task, employees need to move along this continuum from novice to becoming so proficient that the behaviour occurs naturally even when busy at work. An example could be an employee learning to automatically scan the full sender email address with each email opened.
How do you effectively measure skill?
There are believed to be 3 ways in which skill can be generally measured:
- By the demands of the task itself. e.g., completing an entire puzzle.
- By a person’s previous performance.e.g., completing more of the puzzle than yesterday.
- Against the performance of others.e.g., completing more of a puzzle than someone else.
Behaviour change is more likely to take place when people are attempting to achieve personal mastery. Mastery helps increase motivation, however, when being judged in relation to others, feelings of competition can lower motivation and therefore intent to comply. This suggests that when organisations communicate results with employees, competition should be reduced by encouraging them to instead focus on achieving their personal best.
With skill-related metrics the idea is to identify ways to highlight weak spots, determine trends, direct interventions and judge the success of their implementation. Not all skills can be easily measured through behavioural observation, leaving more subjective measures a requirement. For example, measuring how many times an employee locks their device as they walk away from it could be a tricky calculation. Therefore, subjective questions need to be asked to provide at least some idea of whether the intention to conduct the behaviour is present. However, subject data must be analysed with caution due to the existence of potential bias e.g., employees not wanting to reveal their struggles with cybersecurity.
Subjective metrics can also help indicate why an employee may not be conducting a behaviour you have observed, such as self-efficacy. Self-efficacy is the perception that someone has of their ability to carry out a behaviour. People conduct behaviours because they want to achieve a goal and believe they can do so. If an employee has recorded high self-efficacy but low motivation, this would indicate that while they feel capable of conducting the behaviour, they are not doing so because they are not clear on its value.
Skill is more than just education; it is about providing employees with the opportunity to transfer learnings into behaviour and then drive them into habit. While you will need to judge an employee’s knowledge and behaviour against their peers, try and focus their motivation on beating their own personal best. Where possible find ways to collect objective data for each skill you are asking employees to learn. However, objective data may not always be available with it important to fully understand the benefits and barriers of utilising subjective data for some cybersecurity behaviours and psychological concepts.
Upskilling is more than education. Do they know how to do it? Do they want to do it? Can they do it? Can they do it under pressure?
To see how the OutThink Cybersecurity Human Risk Management platform raises awareness, drives more secure behaviours, and increases motivation across an organisation, please get in touch with FUEL Online at email@example.com
FUEL has partnered with OutThink to include its award-winning human risk management platform as one of the software solutions it offers clients.