Cyber Security training for employees has historically leaned towards “Awareness”. It is time to think beyond “Awareness” and focus on building Cyber Security “Competence”.
Competence is the ability to do a task successfully or efficiently. For someone to be considered Cyber Security Competent, they must;
1. Possess the know-how (security awareness)
2. Demonstrate positive Cybersecurity behaviour (consistent application of cyber security skills) to implement the know-how.
Virtual Reality training is possibly the best way to make employees Cyber Security competent by providing experiential training that increases awareness and develops positive Cyber Security behaviour. Outlined below are five essential facts that Cyber Security decision-makers must consider adopting VR training to strengthen the human layer.
Awareness training is mostly passive. The learner is usually listening and watching. Thus very nature of awareness training makes it difficult to measure learner engagement.
In contrast, in VR training, the user is surrounded by sensory information (sight, sound, touch) that engages the learner to a high degree. Further, VR training offers powerful tools to measure learner engagement genuinely. For example, consider a VR phishing email simulation whereby the learner must identify pieces of evidence within the email that indicate the mail as a fraud.
VR makes a difference by;
- tracking the eyeball movement of the learner over the body of the email
- tracking the finger responses and clicks on the pieces of evidence spread in the email
- the time the learner is consuming to identify all the parts of evidence that indicate the mail as fraud
As can be seen, VR training raises the bar. By unobtrusively tracking gestures, movements and responses, VR training will provide a real wealth of data. Analysis of this data can identify weak areas of Cyber Security competence to deliver corrective measures.
While it is impossible to replicate real-world environments for training, VR training comes close in providing experiential learning. Experiential learning is best implemented using “learning by doing” model. In this model, the learner immerses, analyses and experiences learning at great depth.
Consider a Cyber Security experiential learning experience on phishing implemented in VR. When the learner is learning by doing, two fundamental principles are in action.
The sensory part of the brain captures relevant information (e.g. visuals of various types of phishing emails) The cognitive areas learn to recognize the risks (e.g. visuals of pieces of evidence) and take corrective actions (e.g. report the mail, delete the mail)
Change attitude and behaviour
The sensory and cognitive experiences provided by VR training will map onto the same connections the brain will use when making decisions. These deeper sensory and cognitive experiences help in changing attitude and behaviour.
Develop Cyber Security experience memories
VR training that exposes the learner to Cyber Security risk situations helps in developing memories. Compared to academic learning, VR training helps to recall these memories when triggered by real-world Cyber Security risks.
Most awareness training fails in challenging the user. They are straightforward. By trusting the output of these training data, organizations face the risk of developing a false sense of security in the capability of their workforce to manage Cyber Security risks.
In contrast, VR training unobtrusively gives truthful and honest feedback. Every learner engagement moment can be tracked using VR technology.
1. Every interaction in VR provides an overview of the thought process and reaction of the learner
2. Data supplied by VR training is trustworthy because it is based on almost real-world interaction
3. Most importantly, VR training data helps in analyzing why learners reacted in a certain way?
Analyzing the “why” is essential to make necessary corrections in the way employees perceive and react to Cyber Security risks.
Each organization operates in its unique environment dictated by industry, geography, systems and other factors. VR training can be customized to suit,
1. Industry-specific risk situations (malware targeting oil and energy industry)
2. Job specific Cybersecurity risk situations that confront particular roles and responsibilities (e.g. phishing emails that target finance professionals or C-suite executives)
3. Compliance specific risk situations (PCI-DSS, HIPAA to name a few)
Further, organizations can selectively increase the difficulty level of each training experience to move learners from easy to more difficult levels. While this may result in a higher number of failures, the experience translates into better real-world responses.
Most awareness training programs attempt to cover multiple topics within 30-60 minutes, either online or in a classroom. The result is less or waning user attention as the training progresses. VR training offers the possibility to create varied training experiences that are short and focused.
Examples of VR training experiences that are less than 2 minutes in duration:
1. Identifying malicious apps (90 seconds to 120 seconds of VR training)
2. Detecting and reporting fake websites
3. Using personal hotspots when travelling
Each training experience leaves the learner with a meaningful experience. By creating a VR learning station or lab inside the organization, the learner can return for more such experiences over time.
VR technology is set to improve further. VR technology, also complemented by the emergence of Augmented Reality and Mixed Reality, bode well for Cyber Security Managers to deliver realistic, meaningful training experiences. Further, the quality and quantity of data generated through VR training give deep insights to make better Cyber Security decisions.