Security Awareness Blog

The Forgetting Curve - The Importance of Reinforcement

I recently attended the Learning 3.0 Conference in Chicago, IL. As someone whose career has been primarily about security and mitigating risk, I realized we have a lot to learn from others about cognitive behavior and the science of learning. I attended several excellent talks at the event which I'll be sharing over the week. The first lesson I want to share with you is the Forgetting Curve, research first done by Hermann Ebbinghaus in 1885. The concept is human's quickly forget what they learn unless that information is reinforced. If you think about it, this makes perfect sense. We as people are constantly bombarded with information, and we can retain only so much. As part of a survival method, the brain retains (or 'encodes') what it can, but over time dumps most of the information to create room to retain other key information. If the topic is never needed again, nothing is lost. However if the brain finds itself needing the information again, it realizes it is important and is more likely to permanently remember it. Kind of sounds like caching, doesn't it? :)

This is why for security awareness training it is so important we are continually updating and reminding people about key points. In a talk I attended by Dr. Art Kohn, a specialist in Cognitive Science - Educational Psychology, he suggested the following for reinforcing (or boosting) key points.

  1. Reinforce within the first two days. A perfect way to do this is with a follow-up survey asking people what is the key thing they learned from the training, and which behavior they changed as a result of the training.
  2. Reinforce within the first two weeks. A perfect way to do this would be a phishing assessment or physical security walk through.
  3. Reinforce within the first two months. A perfect way to do this would be a newsletter or lunch-n-learn.

If you think about it technology has their own version of the Forgetting Curve. If you secure a computer today then do nothing else for the rest of the year, over the proceeding weeks and months its security continually degrades, to the point where a year later it is a highly insecure system. That is why we have active patching management programs to maintain the security of computers. An active security awareness program is no different, you need to be continually and actively reaching out to and updating people, patching them if you will at least every month. This is where most security awareness programs fail.

5 Comments

Posted November 1, 2012 at 4:50 PM | Permalink | Reply

Geordie Stewart

Very interesting thanks Lance.
Do you think some things get remembered longer than others? Eg ''this company fires people who break the rules' vs ''here is how to use PGP'? Do you think the curve applies more to tasks than a sense of right and wrong?

Posted November 1, 2012 at 5:49 PM | Permalink | Reply

lspitzner

Great question, honestly I don't know. One thing Dr. Kohn brought up is that reinforcement is more effective if people have to recall the information, as opposed to just reviewing the information. So for example, reading a newsletter would be more passive reinforcement, while getting a social engineering phone call (as part of an assessment) would be a far more active method. Obviously this quickly gets more complex once you throw motivations into the mix also.

Posted November 6, 2012 at 10:54 AM | Permalink | Reply

Tim Harwood

Hi All, There was some interesting research done recently and reported by the ASTD where they were pushing some really high numbers about how much is spent (in $) versus what is remebered within 12 months. The figures show that in 2011, US companies spent approximately $156 billion on training employees but that roughly 90% was forgotten by the employees unless it was reinforced with futher practical follow-ups and assessments. Bob Mosher always refers to the concept of Performance Support after Learning and I think that is absolutley relevent here.

Posted November 6, 2012 at 6:42 PM | Permalink | Reply

Kati Rodzon

Hi All, I have some training on memory and the forgetting curve and it's less so about what's right and wrong and more about what memories are recalled more often. For example, if you are given a 7 digit number and do not recall (I think what is being referred to as reinforced) that information over the next 7 months that curve is very steep. Conversely, if the information is recalled consistently (like when training is followed up with practice) that curve becomes more shallow. This is theorized to be because when you recall a memory you actually are ''brining it out' of storage and then re-encoding it. Almost like a new memory. So, unless the memory of right and wrong was recalled- or brought to mind- more than the other, the forgetting curve doesn't really change based on that.

Posted November 9, 2012 at 11:43 PM | Permalink | Reply

Dave Piscitello

Hi Lance,
Good post. I've borrowed your reinforcement strategy and applied it in a complementary manner; specifically, I considered whether we can use our understanding of the Forgetting Curve to help users not only remember passwords but also make them stronger? My post is at http://securityskeptic.typepad.com/the-security-skeptic/2012/11/overcoming-the-forgetting-curve-how-to-improve-passwords.html for those who are interested.