When you consider your bank's security awareness training, what comes to mind? Maybe you think of an hour-long lecture you present (or attend) on an annual basis. Maybe you think of an online program you watched or a lengthy document you read. Whatever may come to mind, it is important to ask the question: How effective is this training?
TD Ameritrade Institutional and the Financial Planning Association Research and Practice Institute published a study in September 2016 describing how advisory firms manage cybersecurity awareness training. The results were not far from what I have come to know from time I have spent with banks. The study showed the vast majority (88%) of respondent firms said they spend two hours or less annually in on-going cybersecurity awareness training. Fifty percent of the same group said they conduct this training semi-annually or annually.
With this combination in length and frequency of training, it should not come as a surprise when security firms report employee-based security issues are on the rise, such as phishing and ransomware attacks. When security awareness training is treated as an item to check off our annual compliance checklist, we can miss the bigger picture.
Security awareness training related regulation and guidance is ambiguous, at best. The Interagency Guidelines Establishing Information Security Standards simply say,
"Train staff to implement the bank's information security program."
In a similar way, the FFIEC's updated Information Security Booklet contains very little training content (see Section II.C.7(e) Training).
Ambiguity is scary. We do not want to overstep boundaries, so we tend to follow the crowd in situations lacking clarity. However, ambiguity can also be liberating. It means we have the flexibility to ask and explore potential answers to important questions. With regard to security awareness training, one of the best unanswered questions may be "How much time should employees spend on training?"
As shown in the study discussed earlier, we have traditionally chosen to present training once or twice a year in hour-long sessions. While there is nothing inherently wrong with this, the flexibility of guidance around this topic and continued issues we face should encourage us to try something new.
You do not have to research far to find various studies showing humans have a limited learning capacity. For example, in 1979, two scholars named Dr. A. H. Johnstone and F. Percival published a study titled "Attention Breaks in Lectures" in which they surveyed student attentiveness across 90 college lectures that ran 50-minutes in length. Following is an excerpt from the results of the study:
"A general feature observed in most lectures was a period of non-attention right at the start of a lecture, due to the class 'settling down'. The next lapse in attention usually occurred 10-18 minutes later, and as the lecture proceeded, the attention span became shorter and often fell to three or four minutes towards the end of a standard lecture."
While you may think things have changed in the past 30 years, I would not say they are for the better. In a 2013 study conducted by Microsoft Canada's Consumer Insights group, researchers found the average human attention span was eight seconds.
Now, I do not know your situation. While you may have some employees who enjoy learning about security for the joy of education, you likely have just as many employees who feel security awareness training is a struggle. The good news is this: You have options.
If you find employee attention and retention is a struggle, instead of meeting for an hour annually to address all security topics, consider these alternative approaches:
- Meet four times a year for 15 minutes.
- Meet six times a year for 10 minutes.
- Meet once a month for 5 minutes.
Each of these alternatives provides the same amount of training time, but shorter, more frequent meetings may provide some potential benefits, including:
- The ability to emphasize current events and individual topics.
- Less disruption in employee schedules.
- Improved retention rate and employee morale.
There is no single proven way to conduct security awareness training with employees. If you find you or your employees struggle with training though, shortening sessions is a simple and cost effective way to explore a different training method. In the end, it is important to find what works best for you and ultimately improves the security of your bank.
