Quality training needs to activate behavior change, develop a cybersecurity mindset in employees and cultivate good habits.



Possibility is powerful. And people who experience life as full of possibility are capable of extraordinary things. People who think that little is possible for them have a very different experience of life. They tend to think that life is short and nothing good is likely to happen. So why not live dangerously now? People who experience life in this way tend to make poor choices. And they tend to engage in high-risk behaviors.

More than a decade ago, our Cognician founders, Barry and Patrick Kayton, worked on a project with LoveLife – a youth-focused HIV prevention organization based in South Africa. The organization’s programs aimed to reduce HIV infection rates within the community: prevention-focused intervention. The question they posed to Barry and Patrick was, “How do we activate a mindset of possibility to reduce behaviors that could potentially increase HIV infections?”

There were and are many ways to reduce HIV infections. The path of innovation to tackle HIV focuses on medical approaches, such as research into creating an HIV vaccine. The path of activation focuses on people and education around preventative behavior.

So Barry and Patrick began to collaborate on an ambitious series of programs that activated a risk-reduction mindset in participants.

The programs focused on helping the young participants develop a sense of possibility within their future lives, especially if they became committed to certain, risk-avoidant values.

That is the approach of activation. It's about creating meaningful experiences for people that provide guidance for behavior that yields a positive, happy life with fewer risks.

When it comes to cybersecurity, the path of innovation is to build better firewalls that hackers struggle to get through. But the truth is that most vulnerabilities in companies don't come from the technical aspects of security; they come from the human aspects. And so the path of innovation alone isn't going to help solve the problem of cybersecurity. To radically reduce behaviors that are risky for cybersecurity, you need the path of activation.

Training Should Drive Employees to Take Action 

Many traditional approaches to change management are ineffective. A study by TalentLMS and Kenna Security found that 69% of respondents have received cybersecurity training from their employers. And yet, when asked to take a basic quiz, 61% failed.

Organizations need to activate their employees to adapt to change and adopt new ways of thinking and working. Instead of telling people why they should change their passwords, it's far more valuable to get them to actually change them right now – and then make a habit of changing them regularly.

Learning is most valuable when people actually need it. Activating people to turn their knowledge into immediate action makes learning stick. This reframes the information from being 'just in case something happens' to being 'just in time for the action you need to perform now'.

Training programs should get participants to take action, like changing a password or setting up 2FA on all accounts.

Although many security-related actions are quick and easy to perform, a to-do list can slip your mind when you're busy. Once participants have committed to taking action, the program needs to follow up to ensure that tasks are completed. A little regular nudging goes a long way to creating lasting change.

Training Should Develop a Cybersecurity Mindset in Employees

A study by Tessian found that 43% of employees are "very" or "pretty" certain they have made a mistake with security repercussions while at work.

Despite the countless dollars spent on conventional security training, it isn't sticking.

Learning is powerful when it produces results. But people don't learn by repeating things they have heard and temporarily memorized. Rather than trying to catch people out, questions should inspire creative and critical thinking. This is a technique called generative learning.

This kind of learning can help to develop a lasting, proactive cybersecurity mindset in employees.  

Instead of answering "yes" or "no" to a dull survey, generative learning develops critical thinking skills. It requires employees to engage their minds by finding a specific solution to a problem.

This type of learning goes a long way to solving the problem of boring traditional training. People enjoy coming up with their own ideas and creating meaning from the process. But there’s more to this than just enjoyment. 

In The Art of Changing the Brain, James Zull makes the point that a person’s brain changes physically when they recognize the importance of what they’re learning. It’s not enough to tell people that something is important. We need to create the conditions in which they realize this for themselves. And one of the most powerful ways to achieve this is through generative learning, in which we take a person to the cusp of a realization and then allow them to connect the dots for themselves. These moments of realization – epiphanies – are unforgettable and change how people think, forever.

Training Should Create Good Cybersecurity Habits

Good habits are the foundation of cybersecurity, just as they are for security in the real world. Just as people lock their doors and wear their seatbelts without thinking twice, online security habits need to be cultivated.

Once-off training cannot build habits. Spaced practice is necessary to activate behavior change. Reviewing learning material over a long period of time allows the brain to make connections between concepts. This solidifies the knowledge, making it easier to recall at a later stage.

Employees might know all about cybersecurity right after a training session, but how much will they know in the weeks and months that follow?

To make learning stick, training needs to be seen as an ongoing process. It should aim to build habits rather than focus solely on achieving goals. While goals are ideal for achieving something, habits work best for maintaining something. 

When it comes to cybersecurity, your employees are your first and last line of defense. The right kind of training can activate your organization’s security maturity and secure your business.


Ready to start training effectively? Read more about our Security Maturity Quest and how it can improve security maturity by up to 25% in 30 days or less.