Security Awareness Blog

Guest Post - Enticing Employees to Self-Educate

Editors Note: This blog post is from Lori Rosenberg, part of the security awareness team at eBay. Here she covers her upcoming talk at the Security Awareness Summit (#SecAwareSummit) this 10 Sep in Dallas. The summit brings together awareness officers from around the world to share how they are taking their program to the next level, and how they are measuring that impact.

Like most large organizations, I'm limited in the frequency and length of communications in which I'm able to send to large groups, so I have to make the most of all opportunities when I push information to our employees. This is one of the many benefits of having an education center. The education center is an internal portal, acting as a clearinghouse for all security-related information and has a symbiotic relationship with my communications. I'm able to provide a deeper dive about the topic on each communication I send by linking to content I have available on the center. If I don't have something already fitting for that communication, I create something and add it to the education center, so I'm never without a link for more information.

In turn, each communication I send drives people to the education center via the links. I can see by pulling stats on page hits that employees are not only clicking those links, but they are actually looking around at more content available to them. If I post a link to something which sounds exciting, I typically see 2000+ page hits to the education center over a period of 2-3 days. In essence, employees are self-educating with no incentive other than something looks interesting to them. This means I'm accomplishing my goal to get employees to pull information, rather than rely on limited opportunities to push education.

The key to employee self-education is to make learning opportunities enticing and diverse. I typically have more than one link going back to the education center in each communication just to make sure there's something to attract the reader to click. I'm always careful to make that link hard to resist, but also relevant. Once you hook them in, it's important to make the learning opportunities within the Education Center varied so you have something which appears interesting to all types of learners. Use catchy titles, for example, "What Were They Thinking?". Who wouldn't want to click on that title?

Am I being a social engineer? Quite possibly, but in a good way.

BIO: Lori has over 20 years of training experience designing and delivering a wide range of topics via classroom learning and eLearning. Lori uses many methodologies to maximize awareness which include company-wide communications, designing and programming eLearning, creating campaigns and awareness activities and developing educational opportunities using her favorite tool, SharePoint. Lori considers herself a SharePoint 'nerd' and makes the most of its functionality to provide awareness in many formats to ensure that there's something to cater to each type of learner. Lori started providing InfoSec education and awareness materials for eBay in 2009 as a contractor, and is now an employee educating employees at an .Inc-wide level. Prior to contracting work, Lori specialized in risk-based training as the Education and Awareness manager for Regulatory Compliance (3 years) and then Education and Awareness manager for Information Security (2 years) at WaMu (Washington Mutual Bank). Lori's credentials include ASTD Certified Web Based Training Designer.