Our attention spans and working models have drastically changed over the years and so too should our approach to cyber security awareness training. Microlearning and gamification are the key to filling the gaps left by traditional training styles, including increasing knowledge retention and staff enthusiasm.
Modern cyber security issues call for modern cyber security awareness
The cyber landscape has drastically transformed over the years, but there’s been a notably dramatic change within the past decade. Cyber-attacks are on the rise and hackers are growing more and more relentless each day. Their targets are essentially anything and anyone – but they’ve taken a special liking to targeting the human aspect. Could microlearning and gamification be the key to mitigating the threat of costly breaches?
Cyber security best practices have been lost on remote workers
We’ve experienced quite an interesting shift within the past 12 months, with COVID-19 having widespread effects on cybersecurity and working models across the globe. Approximately 80% of Australia’s workforce shifted into remote work, and the hybrid WFH model still lingers for some. 
Alongside this move to remote work, many saw persistent or increased breaches within their businesses. The OAIC’s Notifiable Data Breach report shows that malicious attack accounted for 58% of notified breaches.  Data breaches resulting from human error also accounted for 38% – an increase of 18% since the last period. 
We can correlate this rise in human error breaches with the fact that only 32% of users were trained on remote working security best practices.  In addition, some personnel may have prioritised convenience and efficiency over security– pushing best practices to the wayside while WFH.
The dominance of human error, phishing and compromised credentials
Either way – it’s clear that our workforce was ill-equipped to deal with the explosion of targeted phishing scams, social engineering techniques and ransomware attacks. According to Proofpoint’s 2021 State of the Phish report, 57% of organisations dealt with successful phishing attacks last year.  On top of this, phishing (compromised credentials) accounted for 25% of breaches. 
We need to do security awareness training – but it needs to be done better
“Organizations that are not regularly and thoughtfully factoring users into their security postures are ignoring an audience that attackers covet.” 
The older approach was to take everything staff were learning – across policies, procedures etc. – and translating them into long-form digital modules. The length of courses meant that employees would be pulled away from their jobs for longer periods of time and this often led to a significant drain on resources.
As humans, we also have a natural propensity to forget. Some studies note that our distraction free attention span has gone from 12 seconds to just 8 seconds in 13 years – although these statistics are arguable. Nevertheless, our digital society is accustomed to accessing information quickly, anytime, anywhere.
While employees need to maintain efficiency and productivity, we still need security top of mind. Yes, security awareness training is still the answer here – but there’s got to be a more effective way of doing it. Clearly, new cyber security training models need to cater to busier schedules, shorter attention spans and different consumption habits.
What do microlearning and gamification have to do with security awareness training?
What is Microlearning?
Microlearning can be defined as learning or reviewing very small bits of information more frequently and repeatedly. It upholds the conditioning aspect of security awareness training, as short variations and repetitions promote more consistent learning.
In a world where we’re constantly consuming 6, 15, 30 and 60 second media types, we’ve essentially trained ourselves to absorb information in this way.
Microlearning involves short modules that usually only a few minutes to complete. These might include:
- Illustrations or comic-like storylines;
- 1 to 2-minute informational videos;
- Interactive click -through examples; and
- Short, sharp quizzes containing only a few questions.
What is Gamification?
Gamification can be defined as the inclusion or amplification of game and game-like elements into non-game activities. This is another habit-forming booster and you’ve likely experienced gamification in other non-game elements of your life.
Gamification is often part of rewards programs, such as Starbucks, as well as fitness devices and applications, such as ‘closing the rings’ on your Apple watch.
Gamification includes integrating points accumulation, leader boards, badges, competitions and battles. It makes traditionally mundane tasks more interactive and fun – ultimately working towards better knowledge recall by activating the hippocampus.
What are the benefits of microlearning and gamification?
1. They reduce friction around learning
Integrating microlearning and gamification into training increases motivation and helps with the flow of best practices into everyday behaviour. This is referred to as ‘cognitive absorption.’ They make learning more meaningful and focused by including rich media types, such as videos, photos and other graphics. This media is already prevalent in today’s society and is therefore more efficient in driving people to action.
2. They cater to a wider audience
3. They make training easily digestible
4. They allow employees to learn and readily apply these lessons
Employees can return to their daily tasks quicker because microlearning and gamified training is so short and sharp. This means that there is a quicker turnaround, and more focus is given to their busy schedules.
On top of this, the frequency of microlearning and entertainment from gamification increase retention. This means that staff are less likely to forget what they’ve learned and are more likely to apply these lessons to optimise their everyday decisions.
5. They allow for quick and easy changes to modules:
Content Security’s Security Awareness Training
At Content Security, we deliver a range of security awareness training. We can assist you with implementing a formalised training plan with microlearning and gamified elements. We also provide a more comprehensive, guided course with our Managed Cybersecurity Awareness Program (MCAP). This program involves microlearning and gamification, however, it is a more continuous cycle of assessment, education, reinforcement and measurement.
As your trusted cyber security consultant, we will maximise your learning and increase retention rates. We will assist you with learning the ins and outs of your personnel’s weaknesses and strengths and will help you with planning training accordingly.
 Proofpoint 2021 State of the Phish report, pg. 22.
The Office of the Australian Information Commissioner [OAIC] – Notifiable Data Breach Report July – December 2020.
 2021 State of the Phish report , pg. 32.
 Ibid, pg. 4.
 Notifiable Data Breach Report July – December 2020.
 2021 State of the Phish report , pg. 20.