Character and humour in security training maximises knowledge retention

In information security and data protection, we are not always the greatest communicators. We often talk in technobabble and that can lead to being tuned out. Having some fun materials in your bag helps to simplify training messages and communicate essential information more effectively.

The role of Chief Information Security Officers (CISOs) has become more critical than ever in ensuring the protection of valuable data and safeguarding against potential breaches – and a major responsibility for CISOs is to be on the hunt and look out for the best ways to increase knowledge retention and employee engagement.

To this effect, recent data reveals that incorporating character and humour into cyber security training can be a game-changer for maximising behaviour and culture change within organisations.

Why character and humour?

Recognising the need for a paradigm shift in cyber security training and something new to shake the cobwebs off, we believe cyber security training and awareness should incorporate character-based communications and humour into the learning experience.

Lisa Plaggemier, Executive Director at National Cybersecurity Alliance (NCA), said: “Security teams still tend to design training sessions focused on content, forgetting that the recipients are human beings.” Plaggemier highlights United Airlines’ most-recent safety video for airline passengers as an effective training campaign which used humour to convey complex flight safety protocols.

By infusing training modules with relatable characters (like TSC’s Lax), memorable storytelling, and appropriate humour, organisations have witnessed remarkable improvements in participant engagement, knowledge retention, and behaviour change.

You must look at it this way; sitting an individual down to run through a 30-minute eLearning course on data classification will not be as impactful as making the same individual watch a narrative 5-minute animation on data classification. With the character-based animation, knowledge points that you want employees to retain will be tied closely to humour and easy-to-recall narrative moments. How easily can you talk about the show you binged last weekend compared to the training you were assigned to do last week?

The power of character

Characters serve as anchors for employees conducting training by creating emotional connections and enhancing the learning process. These characters can be relatable personas or avatars that guide individuals through cyber security scenarios, demonstrating best practices and potential pitfalls. When learners identify with these characters, they develop a sense of ownership and connection, making the training more impactful and relatable.

Introducing characters into cyber security training humanises the learning experience. When individuals can relate to the characters' struggles and triumphs, it triggers empathy and motivation to adopt secure behaviours. Characters in training programs provide individuals with tangible examples to model their behaviour after. This social learning aspect is crucial for driving behaviour change as it taps into our innate inclination to imitate and learn from others.

The power of humour

Humour has proven to be a powerful tool in breaking down barriers and fostering a positive learning environment. Incorporating appropriate humour into cyber security training helps alleviate anxiety and boredom often associated with technical subjects – that some employees can be daunted by. It creates a memorable and enjoyable experience, encouraging participants to actively participate and retain information.

Humour acts as a cognitive stimulant, capturing attention and enhancing memory. By injecting humour into cyber security training, we tap into the brain's reward system, making the learning experience more enjoyable and memorable.

Gamification: a means to an end

Using character-based games and humour to help people learn is something that helps solidify human understanding. The Game-based Learning Theory describes gamified learning as ‘experiential.’ This type of learning is effective as it builds experiences through role-playing and other games. Furthermore, a separate study titled ‘Gamification of Information Security Awareness and Training’ states that a ‘high level of interactive-ness potentially defeats the tediousness of e-learning.”

When building a security awareness culture, make sure that you include lots of interactive elements that are fun and use humour to make memories. Do not expect a security awareness culture to develop if employees are made to sit in at their desks and listen only to 15 to 30 minutes of monotonous audio files and slides. By supplementing engaging employees in material that is fun and memorable, a company is more likely to vault the boredom hurdle.

What can we learn from the entertainment industry?

Jann Yogman, a highly respected entertainment writer who has worked with the likes of Conan O’Brien, recently pivoted to working with cyber security training and content creation. Whilst he admits lacking expert knowledge on cyber security, he has created a highly successful 4-point framework for creating the most engaging and retainable content in the cyber space.

Let’s run through it with some additional cyber security focused advice from TSC plugged in:

1. Focus on storytelling: When using a storytelling framework for your training and awareness, make sure you do not dive in blind. You must ensure that your employees ease into the topic after you get their attention. To do this, develop a relatable scenario where the security dilemma seems plausible – a character-based animation or video can help here. Make your character struggle with the security decision and show the consequences when they make the wrong choice – this gives a chance for your employees to vicariously make the wrong decision as the character rather than themselves in real life. In television and film, audiences respond to and empathise with character arcs – you must make use of this in your training and awareness by taking your employees on a journey.
2. Relatable and consistent characters: By creating a training and awareness system where viewers see the same character dealing with threats and risks on a regular basis, you eliminate the need for refreshing backstories or reintroducing scenarios. In the same way you can watch episodes of your favourite TV shows without having to figure out who everyone is every single time, using the same character in your training and awareness creates instant constructive interaction and buy-in.
3. Production value: In television and film, after you wrap on set, the real work begins with editing, colour correction, music, and sound design to make the product stand out. You must follow the same principles with your cyber security training and awareness programmes. People will pay closer attention to materials that are clean, void of errors and instantly professional.
4. Make it quick: Let’s get one thing right: attention spans are limited. We live in a social media obsessed, TikTok-curated environment with the average attention span getting smaller and smaller with each passing year. The days of 30-minute-long eLearning courses are long behind us; employees will simply lose interest after a few minutes. To combat this, training that is short and to the point, and delivered regularly will be most effective and ultimately keep security at the forefront of thinking. Furthermore, if you are handling a topic that requires longer, more comprehensive eLearning, why not diversify your content but breaking it up into smaller bite-size chunks via mini-eLearning modules, time-based team activities and threat-based games?

End goal: behaviour and culture change

Behaviour change is the end goal of cyber security training and awareness, as individuals must actively apply what they have learned to minimise risks. Character and humour play instrumental roles in fostering behaviour change and creating a cyber security-conscious culture within organisations. By employing relatable characters and humour, training programs can create emotional connections that motivate participants to embrace secure behaviours. The introduction of characters and humour helps break down resistance to change by making cyber security training more accessible, relatable, and enjoyable to your employees. This, in turn, contributes to the establishment of a cyber security-conscious culture, where security practices become ingrained in the organisational fabric.

Conclusion

The incorporation of character and humour into cyber security training is a progressive approach that holds immense potential for CISOs and their organisations.

Not only are you visually enhancing your training and awareness materials, you are also engaging participants on an emotional level and creating enjoyable learning experiences; character-driven and humour-infused training programs maximise behaviour and culture change and is a strategic investment that yields long-term benefits for all stakeholders involved.

If you would like information about how The Security Company can help you to deliver character-based eLearning, animation and gamification and how we help support CISOs as an extension of their cyber security team ... please contact our Head of Business Development and Sales,  Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.