People tend to see cyber as being all about tech, 1s and 0s on a screen speaking a language many will never understand. However, cyber is more about people than you might think.

Organisations are turning to cybersecurity training at an exponential rate in the hope of quelling their risks. However, employees often see infosec as more technical than based in everyday life.  

We need to bridge this gap in understanding to have any hope of staff embracing cybersecurity.

How do you shift an employee’s perspective?
Messaging has to convey not only an employee’s responsibility towards cybersecurity, but also its benefits. Sadly, many of the current training programmes fall well short.

Last year, TalentLMS created a survey in the form of a questionnaire. They found participants who had received cybersecurity training at work did not know any more than those who had not. In some cases, those with training even appeared more at risk compared than their counterparts.  

Just because training is mandatory, it does not mean an employee will buy into it, or even understand how to implement the knowledge day-to-day.

Lessons can be learned through stories
There are lessons to be found in every story. From carvings on cave walls, to fairytales and Hollywood blockbusters, storytelling has been part of human communication for thousands of years. So why do we not utilise it more during training?  

How many of us have been assigned an arbitrary-looking document we have to read, without justification of why, or even being shown how to implement it in our work? Storytelling can make the strange seem familiar; we can use it to pull cybersecurity from the theoretical into reality by basing it in situations a person can recognise.

Ground-breaking psychologist Jerome Bruner has studied the benefits of teaching through storytelling. He found that: the interaction – the context in which a thing is learned – is key to a person's understanding and development, rather than the mere fact that knowledge is acquired.

Organisations so often fall into this trap and assume that because knowledge has been provided to their employees, they should be able to take the correct actions. Using stories to show what the correct actions are in different situations is one of the most effective ways to instil cybersecurity.

Storytelling helps change the view of cybersecurity
Before employee actions will change, their view of cybersecurity needs to change first.

Many people see cybersecurity as someone else’s responsibility, not part of their job and an unwelcome addition to their role.

It is vital that the stories we tell do not scare people, as this will only deter them. Stories need to present cybersecurity in a positive light, so it is seen as a useful tool to utilise in life.

We must use stories that show the employee is empowered and enabled to make the right decisions by their cybersecurity awareness. Using narratives that present employees as heroes who save the day, rather than victims or co-conspirators, can have a powerful impact on the attitude towards security.

By bridging the gap between people’s current understanding of cybersecurity and where we want them to be, the key messages in training can then be taken onboard because employees will see value in the learning.  

Employee experience matters
Storytelling makes training more engaging and interesting. A simple animation or scene acting out scenarios helps to keep training dynamic, preventing the messages from becoming stale.

Storytelling also gives the opportunity for examples to be used that employees can associate with. By centering a cybersecurity issue upon an activity the employee does every day, like sending and receiving emails, it can present how to apply the training in their role.

We should lean into learning by example within cybersecurity training, because an employee will better understand what actions they need to take if they have watched someone else take the correct steps in a similar situation.

Storytelling is more than just words
Storytelling does not need to be restrained to just animations or acted out scenes however. A more interactive approach can also help further instil how to implement cybersecurity practices day to day.

Interactive stories, where the user chooses their path, and even escape rooms have become increasingly popular in training. They are especially effective in cybersecurity because they require a person to consider the different outcomes that can result from a set of circumstances, demonstrating the usability of the knowledge learned. An organisation is able to better understand where their employee’s knowledge is strongest and where more attention is required.

Learning the key messages, seeing someone implement them and practicing applying them forms a tripartite of training that will enable the employee to take the right course of action against an attack.

Gamification works
Using elements of gamification in storytelling can lead to engaging material that implements knowledge by focusing on how something is done, not simply what has been learned.

Various training organisations are creating a variety of different platforms to make full use of storytelling as an interactive practice.

Bob’s Business for example has created one such game. Called Think Before You Click, this game puts users through scenarios that simulate how attacks often play out against organisations. In doing so, users are not only learning about cybersecurity they are able to use it.

Not everyone cares about cybersecurity 
It is important to know your audience: the general audience sees cybersecurity training as ‘extra work’ that isn’t part of their job.

For people to change their perspective we need to engage with them in a way that shows how relevant cybersecurity is, and how it is used day-to- day. Storytelling has the power to do this and so much more.

Effective storytelling not only improves retention of information and engagement, by making the journey of learning more interesting and relevant, it also shows how to implement knowledge learned into everyday life.