Trying to learn large amounts of information in one sitting is often overwhelming and leads to lower retention. Psychologist Hermann Ebbinghaus found in studying himself in the 1800s that only 20% of information learned is retained four weeks later. However, his retention increased from 80% to 90% when using microlearning. That means he took in small and bite-size pieces of information in a single sitting.

In today’s fast-paced business world, days taken away from regular work and given to training can put a project behind. Some companies mandate yearly training, making it something employees dread or simply tolerate. This often means that employees can easily overlook cybersecurity training or that trainers deliver it in ways that result in glazed eyes and information overload.

Microlearning can help employees learn in small doses and improve the odds that they remember and apply the lessons. This approach not only teaches employees, but creates a culture of learning, which means increased curiosity and often innovation. Instead of keeping a totally serious approach, look for ways to creatively catch employees’ attention.

You want employees to think of cybersecurity as part of their job, not something managed by the IT department. That messaging should also tie back to how cybersecurity relates to their job and life. Make cybersecurity interesting and relevant, such as by sharing new threats.

Here are five ways to use microlearning to help your employees learn important cybersecurity guidelines.

Videos for Microlearning

While cybersecurity isn’t a laughing matter, humor is a great learning tool and gets people to pay attention. Most of the videos I watched while researching this story were boring. But I did find several great videos out there. I kept laughing out loud at Mimecast’s videos — yes, there is a character called Human Error, complete with a bathroom, as well as another called Sound Judgment — that drive home the points very creatively. And this channel contains many videos on a wide range of topics. Habitu8 also has some great videos, especially the social engineering video and the social media privacy one. You can also check out ECPI University’s list of 15 funny cybersecurity videos.

A short and to-the-point video works great as well. A one- or two-minute video on a very specific topic, such as how to spot a phishing email or what makes a strong password, can be very effective. You can either use some of the many videos online or create your own.

Text Messages

Instead of writing another email listing dos and don’ts, make a list of 10 to 15 tips, such as five passwords not to use and reminders not to click on unknown links. Because of the format, you are forced to keep the message short, which can increase the odds of people reading and remembering it.

Next, create a text group for your employees or use software to automate the process, then set up scheduled microlearning through text. In the text, you want to cover why they should care and what to do. For example, “Got a message asking you to sign up for the bake sale this week? Check again. Click on the link and you may be getting a virus instead of a signup link for brownies. A new scam is going around — don’t be the next target.”

Turning Learning Into a Game

Everyone loves games, especially if they come with prizes. You can have a quiz-style game about cybersecurity knowledge at your next company meeting. Or you could have people earn badges by watching all your videos. And to promote good habits, you can even have prizes for teams that go the longest without an issue.

Microlearning Doses From Experts

Your employees are used to hearing you or other IT leaders talk about cybersecurity. So, mix it up and bring in other voices. Aim for a two-to-five-minute talk from other experts in the field or in your company. You could record someone external to play at the meeting or video conference them in. Also, consider having non-technical employees talk about how they prevented an incident, such as not clicking on a link, or about what happened when they encountered a threat, such as a ransomware attempt.

Posters: Old But Good

Yes, it’s a little — okay, a lot — cheesy. But posters in highly visible locations work. Make reminder signs about cybersecurity guidelines and hang them around the office. On each poster, explain why it matters and what the employees should do (or not do) in short and simple text. Be sure to add eye-catching graphics, and humor never hurts as well. Hang them in the break room, in the bathroom and on doors. Be sure to rotate the signs and change the messages. You can even turn these into gamification by offering prizes on the poster to encourage people to read them.

While the core principle of microlearning is a small amount of information and a short time commitment, the method also means repeating the same information in different formats. For example, you can distribute a funny video about how attackers can use information gained from personal social media accounts to sneak into the corporate network. Then the next week, you can send a text message on exactly how to set privacy settings for Facebook. You can then round out the microlearning a few weeks later, asking employees if they changed their privacy settings and offering a small prize to the first 10 people who send a screenshot of their updated privacy settings.

Microlearning Contributes to a Culture of Cybersecurity

Because cybersecurity is an important and serious topic, it’s easy to assume that training must be formal as well. By taking a more personal and fun approach to cybersecurity, you can create messages that your employees will not only pay attention to but actually remember next time they get a suspicious email or change their password.

Organizations that are the most protected from threats are those that have a culture of cybersecurity — meaning that they often discuss ways of staying safe and every employee feels that they are responsible for cybersecurity. By using microlearning, you can not only help your employees learn important information, but also keep the message of cybersecurity awareness at the front of their minds on a weekly or daily basis. Most important, you can make cybersecurity interesting and relevant to their jobs and lives.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…