13-year study reveals best method for training users

Did you know a lot of your IT peers are training their users on security all wrong? Turns out, if training relies too much on the “what” and “how” and less on the “why,” both IT pros and users could be wasting their time.

That’s according to research conducted by Clemson University, the University of Virginia and the University of Oklahoma. The paper, titled “Technology Use: Conceptual and Operational Definitions,” looked at 1,200 different students across 13 years of study to determine the best training methods for teaching IT skills.

Mindful of their surroundings

The participants were not aware that they were part of a test until it was disclosed after the fact, and instead believed they were receiving IT training.

There were two methods of training used to teach the students, and afterwards their skills were put to the test when users were asked to spot phishing emails.

The first method of training was directive and probably familiar to almost everyone. It outlined the specific ways to spot a scam, using key identifiers.

But the second method was what the researchers called “mindful.” It relied on teaching people not just how to spot a phishing email, but why it was important that they didn’t click on potentially malicious emails. The researchers encouraged participants to follow their gut after taking time to deliberate.

In either case, there was no rush to make a decision, but still the people who were training using the first method were far more likely to rush to a choice. Usually the wrong one. Those users who were trained to be mindful were more cautious and asked more questions, and therefore were less likely to fall for an email scam.

These results don’t mean you should throw out your training modules and presentations. Instead, try combining a practical way to teach users, combining the two methods.

Users should know the basics and ways to spot an email, but also be aware of their actions and possible outcomes from their choice.