Learning styles and world views - Why some training programs don't work as well as others

One of the biggest barriers to achieving an effective culture of security in an organization - even those with only a few employees - has to do with communication issues, not just the slide deck content. I'm talking about "learning styles", and what Seth Godin calls "world views". Too many security awareness initiatives seem to treat everyone as having the same capacity to absorb the content from a single slide deck.

Communication styles, in a nutshell, are known by psychologists to make a huge difference in how people absorb information. Some people are auditory communicators, meaning that they listen and speak in terms of the linear flow of information, as in "It sounds like you need to focus on the insider attack problem." Others are visual learners, meaning they tend to tune in better to visual inputs or even visual terminology like "I can see where you might think the plan is unclear." Still others learn and speak with a "kinesthetic" orientation, which involves tangible attributes and feelings, such as "Once I can get a grasp of the situation, we can move forward."

Different people may tune in or tune out part way through a training session, due to insufficient stimulus in their native learning mode. Despite this incomplete connection, an amateur instructor may feel that the "security awareness briefing" check box in their to-do list is complete, satisfying their policy requirement for training and awareness. However, the chances of effecting a cultural change in this home-grown security training environment may be far lower than expected.

Another problem that even experienced educators face, when it comes to security awareness training, is the audience's "world view". This is the sum total of an individual's experiences and expectations. I see at least 3 separate world views in most organizations that tend to cause misunderstandings and ineffective knowledge transfers regarding security:

1. IT and R&D Staff - While they understand the limitations of technology, and often appreciate many of the security risks to the organization, they sometimes don't know which assets are critical to the organization's success. As a result, they may not know which risks are the highest priority to deal with, and get frustrated because they can never address all the risks with a limited budget, whether it's in Operations or R&D. At the same time, they do not always understand how to express risks and the effects of budget limitations in terms that the non-technical staff, including senior management and executives understand.
2. Executives - Even though they see the big picture for the organization, and should know which business processes are the most critical, they tend to delegate too much responsibility for securing the business processes to the IT and Security staff without explaining the business priorities. They often don't recognize or appreciate the level of frustration experienced by those to whom responsibility is delegated. 
3. Non-Technical Staff - With only a set of job objectives, a desk and a computer, the average employee is simply trying to get their job done. They may not fully appreciate the value their job brings to the organization's critical workflows. To them, policies usually seem irrelevant or out of date, and there is no big picture perspective. There is an old Eskimo saying, "The scenery only changes for the lead dog." So, they try to do their best, but if the messages they receive from management and the IT group are in stark contrast with reality, they can quickly come to the conclusion that they are on their own. This is when they start to make up their own rules for doing their jobs, and may even resort to looking out for number 1. At this point, they become a significant threat to the organization.

The three world views can be so disconnected, that any attempt to educate staff about securing the organization's information assets simply becomes a waste of time.

That's why I promote a methodology that focuses on engaging all staff in thinking about their job's workflows. They can work within their own world view and immediately recognize what makes sense in terms of security and productivity in this context. The key element in my approach is to use questions that focus on the student's primary job functions and the information they handle, which gets them to think about the priorities for the information flows they use to get their jobs done.

I must credit Rebecca Herold (@privacyprof) for helping me articulate the benefits of considering learning styles, and also Michael Santarcangelo (@catalyst) for his relentless advocacy of "engaging employees in discussions about consequences".

All this to say, if you're going to do a "home-grown" security awareness training program, don't do a "one-size-fits-all" slide deck and check off the compliance box. Spend some time to think about these issues and do it right, or please give me a call.

rate this post: