Trying to learn large amounts of information in one sitting is often overwhelming and leads to lower retention. Psychologist Hermann Ebbinghaus found in studying himself in the 1800s that only 20% of information learned is retained four weeks later. However, his retention increased from 80% to 90% when using microlearning. That means he took in small and bite-size pieces of information in a single sitting.

In today’s fast-paced business world, days taken away from regular work and given to training can put a project behind. Some companies mandate yearly training, making it something employees dread or simply tolerate. This often means that employees can easily overlook cybersecurity training or that trainers deliver it in ways that result in glazed eyes and information overload.

Microlearning can help employees learn in small doses and improve the odds that they remember and apply the lessons. This approach not only teaches employees, but creates a culture of learning, which means increased curiosity and often innovation. Instead of keeping a totally serious approach, look for ways to creatively catch employees’ attention.

You want employees to think of cybersecurity as part of their job, not something managed by the IT department. That messaging should also tie back to how cybersecurity relates to their job and life. Make cybersecurity interesting and relevant, such as by sharing new threats.

Here are five ways to use microlearning to help your employees learn important cybersecurity guidelines.

Videos for microlearning

While cybersecurity isn’t a laughing matter, humor is a great learning tool and gets people to pay attention. Most of the videos I watched while researching this story were boring. But I did find several great videos out there. I kept laughing out loud at Mimecast’s videos — yes, there is a character called Human Error, complete with a bathroom, as well as another called Sound Judgment — that drive home the points very creatively. And this channel contains many videos on a wide range of topics. Habitu8 also has some great videos, especially the social engineering video and the social media privacy one. You can also check out ECPI University’s list of 15 funny cybersecurity videos.

A short and to-the-point video works great as well. A one- or two-minute video on a very specific topic, such as how to spot a phishing email or what makes a strong password, can be very effective. You can either use some of the many videos online or create your own.

Text messages

Instead of writing another email listing dos and don’ts, make a list of 10 to 15 tips, such as five passwords not to use and reminders not to click on unknown links. Because of the format, you are forced to keep the message short, which can increase the odds of people reading and remembering it.

Next, create a text group for your employees or use software to automate the process, then set up scheduled microlearning through text. In the text, you want to cover why they should care and what to do. For example, “Got a message asking you to sign up for the bake sale this week? Check again. Click on the link and you may be getting a virus instead of a signup link for brownies. A new scam is going around — don’t be the next target.”

Turning learning into a game

Everyone loves games, especially if they come with prizes. You can have a quiz-style game about cybersecurity knowledge at your next company meeting. Or you could have people earn badges by watching all your videos. And to promote good habits, you can even have prizes for teams that go the longest without an issue.

Microlearning doses from experts

Your employees are used to hearing you or other IT leaders talk about cybersecurity. So, mix it up and bring in other voices. Aim for a two-to-five-minute talk from other experts in the field or in your company. You could record someone external to play at the meeting or video conference them in. Also, consider having non-technical employees talk about how they prevented an incident, such as not clicking on a link, or about what happened when they encountered a threat, such as a ransomware attempt.

Posters: Old but good

Yes, it’s a little — okay, a lot — cheesy. But posters in highly visible locations work. Make reminder signs about cybersecurity guidelines and hang them around the office. On each poster, explain why it matters and what the employees should do (or not do) in short and simple text. Be sure to add eye-catching graphics, and humor never hurts as well. Hang them in the break room, in the bathroom and on doors. Be sure to rotate the signs and change the messages. You can even turn these into gamification by offering prizes on the poster to encourage people to read them.

While the core principle of microlearning is a small amount of information and a short time commitment, the method also means repeating the same information in different formats. For example, you can distribute a funny video about how attackers can use information gained from personal social media accounts to sneak into the corporate network. Then the next week, you can send a text message on exactly how to set privacy settings for Facebook. You can then round out the microlearning a few weeks later, asking employees if they changed their privacy settings and offering a small prize to the first 10 people who send a screenshot of their updated privacy settings.

Microlearning contributes to a culture of cybersecurity

Because cybersecurity is an important and serious topic, it’s easy to assume that training must be formal as well. By taking a more personal and fun approach to cybersecurity, you can create messages that your employees will not only pay attention to but actually remember next time they get a suspicious email or change their password.

Organizations that are the most protected from threats are those that have a culture of cybersecurity — meaning that they often discuss ways of staying safe and every employee feels that they are responsible for cybersecurity. By using microlearning, you can not only help your employees learn important information, but also keep the message of cybersecurity awareness at the front of their minds on a weekly or daily basis. Most important, you can make cybersecurity interesting and relevant to their jobs and lives.

More from Security Services

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today