For those that don't already know this, any organisation's highest-level vulnerability is their own staff and what are typically common 'human errors'. One of the keys to improving this risk factor and lowering the probability of an 'accidental click' leading to a security disaster is awareness training for all of your employees.
The benefits of training can have a high success factor, enhancing your employees' knowledge of attack vectors and the common risks that we all face daily. That is dependent on the training being done in the right way (and holding the employees' attention spans throughout the training.) If the training is done poorly, it is an entirely different story, as it can make people even less interested in information security and more complacent than they were before.
So... how to spot bad training and turn it around before it really sets up the wrong rating for your security training?
Don't recycle old material
You can't expect users to be remotely interested if you are just making them sit through the same training material multiple times. If you're recycling the same presentation slides and the same quiz as the previous year(s), then it might be time to re-evaluate: your employees will figure that if you don't take the time to prepare for this training, then it can't be high priority and therefore it can't be high priority for them, either.
It would always therefore be beneficial to teach the employees the latest information about the most common current threats and how to avoid them.
Keep the course 'short and sweet' and efficient
It's necessary to think about how much (or rather, how little) time we all have in the day and, oftentimes, how much each of us need to do in terms of work. If the course takes up a lot the employee's work day, then attention spans can dim and work pressures from other demands piling up that day can increase.
An hour or so, with a good quiz at the end, is usually sufficient time, if the time is used efficiently and the employee's attention is held for the most part.
Not everyone needs the same training
We should all know that different people have different levels of pre-existing IT security knowledge, for one. For another, different people's roles have different security-level requirements and different foci they need to have around spotting suspicious situations. Therefore, we need to adapt the training to suit.
Follow up with trained staff
Ask for feedback from those who have had the training, get a feel for how well understood the training was, ask the employees how they feel with reporting incidents.... Follow-up engagement is even more important than the 1+ hour(s) of training in the information security course.
Don't just do training / engaging with staff once annually
If staff are finding the security training to just become an 'annual ritual' and there's no engagement and follow-ups in between, then the information won't really 'sink in'. This is because the staff aren't being required to imprint the information on anything other than their short-term memory, rather than continuously calling on those memories imprints upon long-term memory and makes for easier recall.
Make some of the trainings random and interspersed throughout the year; perhaps they could be shorter versions, but they will still help with the mental imprints upon your staff.
Never shame those who err
Big no, no. We're all human, we're all going to make mistakes. We don't want to have fools made out of us when we err; all too often, we're shame-talking to ourselves when we make a simple human error anyway. Therefore, employees who have been big and strong enough to admit to or report their errors must be complemented for their honesty and thanked for their assistance in stopping what could always have been a larger disaster from occurring, whilst using it as a 'learning from experience' example for them.
Remember the actual root cause of this training requirement
Why are we doing this training? Employees should not only understand the attack vectors they face, but why security is so essential to a business. Employees need to be more educated on the threats they they personally face and that the organisation faces with regard to simple activities, such as clicking on links, visiting websites or downloading any (supposed) documents.
End-user empowerment should be a tool that flourishes
End users are much more than just a security liability. Let them know how important they are in defending the company from attacks and breaches.
Sometimes what speaks to a person about staying safe online in their private lives translates to their work lives as well. Some of the most productive training techniques with emotional appeal teach employees to protect themselves and their loved ones online... and then go onward as to how to apply that at work as well.
If a cyber-aware organisational culture is created and fostered, where everyone feels responsible for cybersecurity, then it can really improve risk management efforts and lower vulnerabilities.
Understand the high value of buy-in
Focus on getting everyone – from employees to company executives – to believe in your efforts. If everyone isn't convinced of the importance of awareness, few people are going to support your mission. End user buy-in is huge, because if your employees hate the training, then they can't actually learn what to look for in a phishing email or how to spot suspicious applications within their phone's app store, etc.
Keep away from the culture of apathy
Recycling old material and using a long, boring, annual training course without proper feedback and follow up sends one message: "We are apathetic about security in this organisation." Instead, you need to ensure that users see you value their time to get them toward engaged awareness.
An alternative to the 'one-size-fits-all' training is a short, generalised compliance training circulated to all staff and then a more focused training targeted at different teams, to support them in their areas of higher risk. And example of this would be giving the HR team more of a focus around data privacy and data handling for staff information, and how personal data should be handled securely, versus those within the finance team and covering the threats they are likely to face with focused phishing efforts.
An additional point to keep within all training is to make rapid response a hallmark of reporting incidents to encourage teams to share, as the more that teams share responsibility in cyber security and take pride in keeping their organisation as secure as possible, the better protected your organisation can be.