Recently we have been discussing different methods of training and how to change behavior, such as the halo effect of reinforcement training. Today I wanted to take a step back and do a brief review of the two different categories of security awareness training and a simple way to compare these two categories to common security practices.
Primary: Primary training is when people learning something for the first time, or as some in the cognitive behavior field call it 'encoding'. This often takes in the form of an onsite workshop or computer based training where people learn about all the different topics involving security. If you think of people as another operating system (the HumanOS) then think of primary training as when you do the initial secure build of a computer. You have built it from the ground up with security in mind. However, as we all know even the most secure operating system quickly degrades over time. As such security is an active process, a continuous lifecycle.
Reinforcement: Reinforcement training is actively following up, reminding people on key topics, or as some in the cognitive behavior field call 'boosting'. Once again, let's use the analogy of people as nothing more than another operating system. Once secured, computers are constantly and actively updated, such as a monthly patch cycle or installation of new or updated security software. People are no different, they must be constantly updated, key concepts must always be enforced.
Where I see most organizations fail is reinforcement. You need an active, engaging program where you are continuously touching people on key security issues. And you have to do it in a manner where they enjoy the program. Ultimately a key metric for me is do people like your program. If they are asking you how their family can take the training you have a winner. If they don't like the training and you are not engaging them, you can never truly change behavior.