You are currently viewing 4 keys to successful training

4 keys to successful training

As cyberattacks increase, companies are increasingly aware of the need to implement security awareness programs to train their employees against these attacks. Routine training is essential, but is the safety training employees receive as effective as it could be? Most of us have had training programs (the dreaded PowerPoint presentation) at work that we had to complete for compliance purposes. However, a few weeks later, we forget all about it because it had no impact on us personally. It was just another procedure that we’ve completed, and we’re moving on. What if the training appealed to us personally? Standard training may require the implementation of new tools or procedures, but effective training goes beyond that. There are 4 keys to successful training that will make all the difference for employees and companies alike.

Have metrics and measure training effectiveness

How can metrics improve training? Metrics allow you to objectively assess the effectiveness of your training. Having accurate data points to quantify and validate the effectiveness of a training program is achieved by implementing realistic testing. This will allow you to identify not only the number of employees who successfully completed the training, but also the rate of behavior change as a result of the training. Analyzing test results against training can help determine if your training program is having the desired effect. It can also reveal gaps and areas where employees struggle the most. Executing a training program without measuring its effectiveness would be like playing darts blindfolded. The clearer your focus on the target or objective, the better your chances of success.

Cybersecurity Live - Boston

Add layers

Providing one form of training, repeated over and over again, may not be effective for all users. In addition to training via the company intranet, adding newsletters and landing pages featuring hot topics could increase employee interest. Others may enjoy learning at in-person events such as luncheons and conferences. In this relaxed group setting, employees can feel more connected to the information given in the training. Additionally, many companies find it beneficial to send some of their employees to conferences that provide training on various aspects of security awareness. Adding layers to the training will ensure the information reaches more people.

Humanize your training

It is common to blame the recipient when the training does not yield the desired results. But could there be a gap in the training method? Focusing on the human aspect of safety training will help identify training gaps. Many companies provide the same training to all employees, regardless of their job title. However, “one size fits all” training is not effective. Security awareness varies from service to service. The risk for someone working in accounting will be different from that of an executive. The training they receive can have nothing to do with their job. If the training does not seem relevant to the employee, it will not provide effective instruction.

For security awareness training to be effective, it must be interactive and multifaceted. The different facets of the training should have sections that address different learning styles, whether audio, visual or hands-on. This will keep employees engaged in training and therefore be more efficient.

Take care of your users

Communication is vital for information security training. To develop good communication with employees, a company must show that it cares not only about what happens at work, but also about how the training it provides benefits the employee as a person. . If an employee’s personal computer is compromised and they fear losing photos of loved ones, can they really be productive at work? To keep employees interested in training, it is important to choose relevant topics. If we want to invest our time and our attention, we must know: what does it bring me? Emphasis should be placed not only on how to protect the business, but also on how the information provided will help employees protect their personal information, as well as their family and friends.

In the business world, great importance is placed on building relationships with customers by establishing trust. It is just as important to build a relationship of trust with our employees. Therefore, we need to consider the feelings of employees when launching security awareness training. Unfortunately, there have been cases where companies tested their employees by sending phishing emails promising them an end-of-year bonus, only to find out that it wasn’t real. What lessons do employees learn when they feel demoralized? Tests that elicit a visceral fear response are not effective. Instead, we need to humanize our colleagues so they can see training/testing as a tool for them, not an adversarial attack.


It’s not just about giving training, but measuring the effectiveness of the training. Assessing our training can help identify any gaps. Then we can reassess the broadcast and make it relevant by including topics that people care about. Security awareness training should focus not only on the end goal, but also how it will affect the people who serve that company. A point to remember is that we not only train our employees, but we also build trust. To do this, we implement empathy in our tests. Any type of training, be it phishing, vishing, etc., should not be based on fear. Employees need to see their IT departments as defenders, not adversaries.

When influential information security practitioner Kate Mullin was a guest on the Social-Engineer podcast, she said, “Part of employee engagement is, you have to care about them, and that can’t be not be fake. It has to be real. Implementing a security awareness program that considers not only the needs of the business, but also those of employees, can create a partnership that results in greater security for everyone.

Do you want to humanize your training?

Social-Engineer provides custom managed services to help organizations assess and educate their human network. We take a personalized approach to training and testing. Our team of expert social engineers focus on the tactics hostile attackers use to influence and manipulate people through phishing, vishing and impersonation. We will assess your organization’s vulnerability to a social engineering attack. Then we will provide you with personalized training and advice to make your business safer. For detailed information on the services we provide, please visit



*** This is a syndicated Security Bloggers Network blog from Social-Engineer, LLC written by Social-Engineer. Read the original post at:

Leave a Reply