(5 min read)
Human beings make mistakes – it’s just how we’re made. So it’s amazing that this isn’t incorporated or acknowledged in the way we ask people to work or act.
The majority of the systems and applications we use are based on an engineering perspective – you can do this or that, and you must do X or Y to get things to work. Over the past decade there has certainly been a lot more emphasis on ‘how would the user actually use this’ – but we’re still some way off the ideal.
The easy example is Apple. And it’s an easy example because it’s the best example. The iPod was hugely successful in its MP3 player market because it was designed to be intuitive, immediately understandable to work and therefore a pleasure to use – and it looked great too.
For us, the same principles apply to online cyber security training. The more we make training easy to access, intuitive to follow and fun to do, the more impact we will have and the more effective we will be. And part of that is knowing how and why we make certain choices – and how good quality training can influence the choices we make.
The dangers of lazy thinking
Humans essentially make choices in two ways: Fast, intuitive thinking and slow, rational thinking.
A good example of the fast thinking can be found in Daniel Kahneman’s book, Thinking Fast and Slow:
A bat and ball cost $1.10. The bat costs one dollar more than the ball. How much does the ball cost?
What probably came to mind first is ten cents, and you’d be wrong. This is the result of your system 1, automatic fast thinking. Take a moment and think about it. The right answer is five cents. The automatic mind took over and your ‘intuition’ told you 10 cents, which seemed right but (and we’re sorry to say this) it demonstrates the innate mental laziness of us human beings.
Understanding that our brains regularly take these lazy shortcuts means we can build that propensity for error into training – it helps us to see how we can help people avoid making mistakes. In our online cyber training, we use this knowledge to anticipate the shortcuts that people might naturally take in IT security and teach them how to take a moment, think about it, and act differently.
In general, most corporate training ‘gives’ us information – things that the trainer thinks we should know or do. But knowledge in itself does not influence the way we behave. So, in order for training to be most effective, we need to do more than ‘teach’; we need to change behaviours.
How do we use this in our cyber training?
We use behavioural science research and thinking to understand why people do what they do.
In a state of ‘cognitive ease’, our intuitive System 1 (fast thinking) is in charge of our mind and the logical, deliberate and more energy demanding system 2 (rational thinking) is weakened. So we might be more creative, intuitive and happier – but we are also more likely to make mistakes.
A good example of this is something we have all been guilty of: happily flicking through our emails one by one and inadvertently clicking on a link. If we’re lucky, the link will be innocent. If we’re not, then we’ve already become the victim of a phishing scam – without really noticing it. This is made extra difficult because for 20 years the IT, media and online advertising industries have been telling us to ‘click on the link’. So telling you not to is not going to do much: we need to help you break that habit and develop a new one.
This is one of the reasons that Psybersafe cyber training is deliberately set up as short monthly episodes. It means we can repeat messages over time – and these messages are more persuasive when we are repeatedly exposed to them.
This could be because we evolved in a way that made repeated exposure to things that had no bad consequences seem inherently good. When we see something familiar, it brings on cognitive ease. So, by getting people used to identifying errors in emails and creating a healthy suspicion, we reduce the incidence of phishing errors. But this has to be done over time because, as Katy Milkman says in her book How to Change, sustained behaviour change requires sustained intervention.
Can I spot these techniques in the training?
Absolutely – and from the very first episode, which is all about passwords and how and why to create a good one. We repeat the need, and we give learners several opportunities during the training programme to practice passwords and get used to doing the right thing. In fact, we’ll talk about this more in a separate blog about habits and how to change them.
Does it work?
It does! We’re amazed that all training programmes don’t base themselves on these key foundations. Good training is not just about ‘learning’, it’s about ‘changing’. If you’re investing in training for your business, it’s because you want things to change, to improve, to be better. Don’t you?
Why not take our trial to find out more? Or you can sign up at the bottom of the page to receive regular (but not spammy) updates in our newsletter.