Video. Audio. Powerpoint. Escape game. Article. Chat format. There are so many communication formats that it’s difficult to know which one is best to effectively train your teams.
And yet, this difference is fundamental to run a successful cybersecurity awareness program. People have a limited attention span and, if the goal is to transform your teams into an active element of your cyber defense strategy, it’s important to maximize the attention and memorization they dedicate to this topic.
Which format works best? This is something we asked ourselves at Mantra when we chose to build a cybersecurity awareness tool.
It seemed to us that there were 3 main questions:
Here’s our thought process:
What do users think? Which format do they like best?
Of course, videos can be a useful tool to engage your teams. One needs look no further than the world phenomenon that series like Game of Thrones or Squid Games (and the habit of binge watching) have been to realize the potential of this format.
Between 2017 and 2021, the average time spent watching Neflix for American adults increased by 50%.
But the flip side of this is that shown average content, and given the multiple alternative options available, a user will switch to something else. Compromising on video quality will lead to a drastic decrease in user engagement: there’s nothing worse for a cybersecurity awareness program than an average video that users launch while going to grab a coffee.
And let’s be honest: creating quality video content is difficult and expensive. In Hollywood for example, the race to produce blockbuster films and captivate audiences has led to production budgets doubling between 2013 and 2019.
If video is nothing new, other tools have increased in popularity these past years: Whatsapp, Facebook Messenger, Teams, Slack…
People are now used to chatting via instant messaging. All customer support teams now use these functionalities (chatbot on almost every website, Delta airlines customers service via Messenger…).
People want to have conversations.
And this is relevant for awareness courses: it’s a simple, effective and stimulating format.
Video is tempting. But again, the difficulty to produce high quality content at scale is a serious obstacle. This is why it made more sense to us, at this stage, to choose a textual conversational format - with a little bit of humor - to easily engage users.
Cybersecurity is a constantly evolving field. The attack vectors used by hackers (spoofs of widely-used services, payload types, scenarios chosen) grow more diverse, protection norms (multi factor authentication) evolve and hackers structure themselves in specialized groups: Raas (Ransomware as a Service) or IAP (Initial Access Provider).
It’s therefore important to portray these changes accurately in cybersecurity awareness programs.
Moreover, each company has its own guidelines, its own vocabulary, and its own rules and procedures (for verifying invoices received for example, something that’s relevant in a supplier business email compromise attack).
To be relevant and consistent, cybersecurity awareness courses must then incorporate these elements like for example having the company’s rules on passwords, its IT contacts, or using the names of the company and its CEO.
It is therefore paramount to address two challenges: first, to keep your users aware of the latest evolutions, technics and tactics the hackers might use and second, to give each company a free hand in personalization.
However, it’s difficult to easily edit a video or to personalize it once it’s been filmed, edited and finalized. Likewise, creating a brand new one from the ground up rapidly on a given topic isn’t easy.
Conversely, using conversational formats, like a chatbot, is very flexible. It enables the administrators to easily personalize the content of pre-existing courses, to edit them to reflect the company’s specific procedures, and even to create their own courses in a few clicks and to deploy them easily.
The goal (and this goes without saying) are for your teams to remember the learnings of your cybersecurity awareness program.
So we asked ourselves, which format is the most memorizable? And do studies support one over another?
With this goal in mind, we found the conversational chat format to have two significant advantages over video.
The difference between text and video has been supported by several studies:
Even though video might be tempting on paper, we’ve grown so accustomed to watching high-quality content that the risk of producing content that will be perceived as “average” seemed too high to us. We thought it better to base a cybersecurity awareness program on an interactive conversational format, one that users appreciate.
This allows you to engage your users easily on a conversational mode and on a channel that they’re accustomed to using frequently. Moreover, it’s an extremely flexible format, one that allows companies to update, adapt or create cybersecurity awareness content very easily, as opposed to editing a video.
Finally, several studies have shown that from a memorization standpoint, this option seemed more suited to allow companies to easily deploy their cybersecurity awareness program.
If you want to check it out, don't hesitate to try out our various cybersecurity awareness courses by following this link.
What are SPF, DKIM and DMARC? How do they contribute to setting up protection against phishing attacks and how can you set them up for your company domain?
What are the differences between the ISO 2007 and SOC2 standards? And which one is right for your company?