I recently attended the Learning 3.0 Conference in Chicago, IL. As someone whose career has been primarily about security and mitigating risk, I realized we have a lot to learn from others about cognitive behavior and the science of learning. I attended several excellent talks at the event which I'll be sharing over the week. The first lesson I want to share with you is the Forgetting Curve, research first done by Hermann Ebbinghaus in 1885. The concept is human's quickly forget what they learn unless that information is reinforced. If you think about it, this makes perfect sense. We as people are constantly bombarded with information, and we can retain only so much. As part of a survival method, the brain retains (or 'encodes') what it can, but over time dumps most of the information to create room to retain other key information. If the topic is never needed again, nothing is lost. However if the brain finds itself needing the information again, it realizes it is important and is more likely to permanently remember it. Kind of sounds like caching, doesn't it?
This is why for security awareness training it is so important we are continually updating and reminding people about key points. In a talk I attended by Dr. Art Kohn, a specialist in Cognitive Science - Educational Psychology, he suggested the following for reinforcing (or boosting) key points.
- Reinforce within the first two days. A perfect way to do this is with a follow-up survey asking people what is the key thing they learned from the training, and which behavior they changed as a result of the training.
- Reinforce within the first two weeks. A perfect way to do this would be a phishing assessment or physical security walk through.
- Reinforce within the first two months. A perfect way to do this would be a newsletter or lunch-n-learn.
If you think about it technology has their own version of the Forgetting Curve. If you secure a computer today then do nothing else for the rest of the year, over the proceeding weeks and months its security continually degrades, to the point where a year later it is a highly insecure system. That is why we have active patching management programs to maintain the security of computers. An active security awareness program is no different, you need to be continually and actively reaching out to and updating people, patching them if you will at least every month. This is where most security awareness programs fail.