These Films Won’t Win Any Oscars, But They Might Save Your Company
A new generation of security-awareness training videos with cinematic, Netflix-worthy storytelling—comedy, drama, suspense—is getting workers talking instead of yawning, and more cyber-vigilant than ever. Or at least that’s the goal.
These are not the kind of reviews you’d expect to hear from employees about a mandatory security-awareness training video.
“Fun and exciting!!!”
Such positive comments rolled in for a film series produced by Living Security, a leading maker of human risk-management content. More Bourne franchise than boring corporate tutorial, “Born Secure: Training Grounds” follows the adventures of Jacob Webb, an ordinary office worker-turned-elite cyber operative, recruited in Matrix-like fashion by a squad of covert ethical super-hackers. In the series trailer, as menacing music throbs, we see Jacob peer suspiciously at a security camera. Someone’s running, a chair overturns, drones whirr overhead, and Jacob bursts out of a security door into the blinding sun.
Proactive risk management starts with an analysis of risk posture and an actionable improvement plan.
It’s a far cry from the typical PowerPoint snoozefest that’s more likely to prompt eye-rolls than any real changes in office behavior.
Implemented by 97% of organizations, security awareness training too often utilizes content for the sake of content, and that method doesn’t work, says Drew Rose, founder, CSO, and head of strategic development at Living Security. “It was just to check off a box,” Rose says. The employee did the assignment, but that was the extent of the engagement. Such perfunctory sessions are not only boring—and thus ineffective, say analysts—but they also lack the metrics to determine whether the participants actually learned anything.
“Learning and development is most effective when offered through continuous, engaging real-life crisis simulations,” explains Bec McKeown, director of human science at Immersive Labs, a U.K.-based training center with offices in Boston, which tests and measures cyber capabilities and workforce resilience.
The hope is that by making such educational content entertaining and interactive, employers will get staffers talking about the training session around the watercooler and encourage them to take cybersecurity more seriously.
Humans are the weakest link
It’s long been accepted that humans are the weakest link in an organization’s cyberdefense, but the right kind of training can help fix that: by boosting awareness of and greater vigilance toward potential risk, improving morale, and making employees feel smarter about their role in their organization’s overall cybersecurity posture.
Learning and development is most effective when offered through continuous, engaging real-life crisis simulations.
“Businesses are increasingly realizing that their tools and technology are no longer enough to ensure resilience; the capabilities of individuals and teams are just as important,” says Dr. John Blythe, chartered psychologist and director of cyber workforce psychology at Immersive Labs. “Many employees experience fatigue from dry presentations, while others are exhausted by the tired e-learning courses they click through, learning nothing despite hours of instruction.”
And the problem, it seems, starts earlier than you might think.
Workers are often discouraged about security awareness training even before they see those dry presentations and e-learning courses. It begins with the disconnect between tech and non-tech employees in the company.
There’s a tendency for some in the tech world to treat non-tech co-workers as less savvy and aware, Rose admits. If the non-tech employees aren’t feeling respected, they’re less likely to reach out to IT and security teams when there’s a problem.
[Read also: Sometimes even loyal workers violate cybersecurity policies—here’s why]
Because end users have such a huge impact on corporate risk, there needs to be more effort put into relationship-building between tech and non-tech, say experts. With this in mind, business leaders are turning to techniques like gamification and contests with great swag for prizes, as a way to bring the two sides together, improve communication, and in the long run more effectively mitigate risk.
Those leaders are also reviewing their training content with a more discerning eye, ditching PowerPoints in favor of content that might seem more at home on, well, Netflix.
Let’s go to the movies!
The goal of good security awareness training videos is twofold, says KnowBe4’s chief evangelist and strategy officer, Perry Carpenter. Security leaders need a product that will build on the relationship between their team and employees, and that is done by showing workers you care about their interests. You also want to engage with them on a human, emotional level, because when you do, you improve the potential for greater retention of information.
We’ve heard stories of employees who change jobs but sign up with us just to be able to keep up with the episodes.
To build better security awareness materials, security companies like KnowBe4 and Living Security took notice of how employees spend their free time and the type of content they engage in. Spoiler: People like to watch movies and binge TV series. There was no reason why security awareness training films couldn’t simulate that same type of entertainment.
Taking a cue from the likes of Showtime’s Homeland and Fox’s 24, KnowBe4 developed “The Inside Man,” a multi-season series that follows a typical episodic format with a recurring cast of characters and plotlines that revolve around different security risks. Season 4 featured a ransomware attack on an international energy company and the travails of a global influencer duped by a deepfake. The trailer for Season 5 dropped in January.
Ninjio, a security training firm based in Westlake Village, California, has opted for animation. The outfit produces three-to-four-minute animé-style videos on everything from business email compromise to password protection, written by Hollywood writers with shows like CSI: NY and Hawaii Five-0 on their resumes.
[Read also: The top cybersecurity trends for 2023]
Living Security’s videos, meanwhile, offer something for almost everyone. Fan of reality shows? Then you might like “The Cyber Race,” an homage to the Emmy-winning juggernaut Amazing Race, with globetrotting pairs searching for clues and completing challenges related to digital identity, phishing, and other security issues. Cooking-show aficionados will learn about cybersecurity while preparing new recipes with “Cyber Kitchen.” There are also spoofs of late-night talk shows, popular movies, sitcoms, and an eerily believable true-crime-style documentary teaching viewers the signs of insider threats.
Security awareness training starts with a good story
Experts in organizational behavior have long praised the power of storytelling as an effective means to engage stakeholders. Psychologists have found that lessons embedded in a well-told story are remembered longer, and more accurately, than those derived from facts and figures. And researchers at Johns Hopkins University recently credited storytelling as a means to get patients with cancer, diabetes and hypertension to change their behavior.
Awareness training is moving from the ‘what is security’ model to ‘why is security important.’
The reason the cinematic training film works, say advocates, is because users don’t see it as a waste of their time. It’s a chance to watch something for work that is fun. Viewers may even get invested in it.
“We get emails from security teams saying their people are asking for the next episode or season,” says KnowBe4’s Carpenter. “We’ve heard stories of employees who change jobs but sign up with us just to be able to keep up with the episodes.”
[Read also: Why every employee must now be part of the cybersecurity team, and how to make it happen]
Rose at Living Security sees the move to cinematic films as a logical next step in security awareness training.
“Awareness training is moving from the ‘what is security’ model to ‘why is security important,’” says Rose. People know what phishing and ransomware are. These films, he says, show in greater detail how cyber incidents impact an organization. They also demonstrate the industry’s evolution from the concept of “security awareness training” to “human risk management.” Employees are aware of security. Now it is time to manage their risk.
By doing so, says Carpenter, business and security leaders can impact not only employee behavior but also the entire workplace culture.
So while you won’t see these titles up for awards at this week’s Oscars ceremony or the Emmys telecast later this year, they will go a long way to keeping your organization safe. And that’s better than any trophy.