Security awareness training doesn't have to be a snoozefest – games and stories can help instill sticky habits that will kick in when danger is near.
The Friday Afternoon Phish
Let me preface this with a story:
Sarah's eyes darted across the email subject line: "URGENT: Payment Needed – Action Required". It was 4 p.m. on a Friday, and the CEO's name glared from the sender field. The message was specific: a payment needed before close of business to avoid extra legal costs related to Project Phoenix and the merger mentioned in last week's earnings call.
Sarah's stomach knotted. She felt like she'd seen something similar in last year's cybersecurity training, but by now that training was a blur of lifeless PowerPoint slides and mind-numbing multiple-choice questions.
Besides, Project Phoenix was real, as was the merger. Vulnerable to authority cues, Sarah shrugged off her unease and wired the money.
By Monday, reality caught up: US$200,000 vanished into an offshore account. The email? Spoofed and pieced together from press releases and LinkedIn posts. Human psychology trumped security policy.
The $55 Billion Problem
While this story is fictional, it depicts a scenario that commonly plays out with Business Email Compromise (BEC) fraud. These schemes don't rely on technical wizardry – they prey on what makes us human. By the FBI's tally, between 2013 and 2023, BEC fraud cost organizations globally US$55.5 billion.
Why Traditional Training Fails
The story exposes a major problem: even diligent employees forget what they "learned" in cybersecurity training. Dry PowerPoints, mandatory quizzes and compliance checklists are forgettable and tedious. Many awareness programs deliver mediocre results while failing to address the root issue: behavior.
This is disconcerting because the question isn't if employees will face an attack – it's whether they'll be prepared when pressure mounts. Verizon's latest Data Breach Investigations Report says that more than two-thirds of data breaches involve human error. Someone obliged. Someone clicked. Someone made a mistake.
Imagine fire drills where employees sit through a lecture on combustion theory instead of evacuating. When real emergency strikes, they might burn to death clutching their certificates. So why train people to survive cyberattacks with abstract policies rather than engaging, simulated experience?
Hacking the Brain
Our brains aren't lazy – they're efficient. Every day, we process hundreds of messages, clicking and responding with minimal friction. We've become conditioned to make split-second decisions that prioritize speed over security.
The solution requires using techniques that rewire decision-making pathways and train us to suspend habitual reactions. Our brains discard dry facts to conserve energy, but they cling to emotionally-charged, participatory experiences.
This is where realistic simulations and well-thought-out gamification can help. Game mechanics are being used successfully in capture the flag competitions that IT professionals eagerly join each year.
The Power of Stories
One key way of upping your organization's security game involves leveraging storytelling. Stories have always helped us make sense of the world and share survival strategies. They light up the brain's pleasure and emotional regions, ultimately changing attitudes and behaviors.
When security challenges are woven into gripping storylines – threats as characters, security measures as tools, employees as heroes – memory formation and recall increase significantly.
Realistic phishing simulations provide hands-on learning and help build muscle memory. They don't just teach – they test and reinforce the right behaviors in context and in a safe environment. The proliferation of deepfakes and AI-aided ploys raises the urgency further – consider this case where a finance professional paid out US$25 million after a video call with deepfake versions of senior staff.
From Checkbox to Instinct
Imagine that Sarah, faced with that urgent email, doesn't panic – she pauses. She recognizes the red flags because she's encountered similar scenarios in engaging security training. She's built the muscle memory to stop, think, and verify before taking action. Instead of wiring funds to a cybercriminal, she alerts the security team, turning a potential disaster into a powerful learning moment.
The end goal isn't only compliance – it's to make security behaviors stick and become almost as instinctive as flinching from fire.
Source: ESET WeLiveSecurity