Why people don’t want to do their training and how to get around it

Why people don’t want to do their training and how to get around it

11th November 2021 Security

There are very few people in this world that think, “Oh goody! My next security training module now needs doing.” Some people even go as far as flat refusing to do their training and to demonstrate that fact, they are prepared to throw a tantrum that a two-year-old would be proud of. What do we do with them? We know that they must do their training but when they have their fingers in their ears and are singing loudly to avoid hearing you, it can be a tricky message to deliver.

Stage one – Reasoning with the “Hard of Thinking”

You and I both know that this is unlikely to work, given that most people do not use reason in any part of their lives, preferring instead to behave in a way that they feel they should, or at least want to. However, before we get into the more Machiavellian methods, we should at least try.

Once your audience has stopped behaving like a toddler, try the following reasons:

  1. You need to do your security training because the technology in place to keep you safe will not stop everything. It is not the technology’s fault that it won’t stop it: for example, how do you expect it to see the opening emails in a complex fraud? There are no weaponised links, no malware hidden in attachments, just someone attempting to get you to do something that is not in your best interests. You may not spot what is happening if you have not been taught what to look for.
  2. Being busy is not an excuse for not doing your training. It won’t matter how busy you were if you cause devastating problems for your organisation because you have not been properly trained. This reminds me of an old Buddhist saying that goes something along the lines of, “If you are too busy to meditate for half an hour every day, then you should meditate for an hour every day instead”.
  3. If you cause a data or security breach, it could be very bad for both you and the organisation that you work for. How would it look if you have rejected all attempts to train you, and then you do something preventable and cause breach?
  4. Clients need to have confidence that your organisation is behaving responsibly. One thing that is looked for is ongoing security training as this an indicator of how safe a client’s data will be when being handled by your organisation.
  5. Security training is required for compliance to a lot of security standards. There is a very good reason for that: it helps reduce the chances of security breaches.
  6. It is not about being smart or being in charge. Neither of those things will automatically teach you how to behave in the event of a security threat, only training can do that.

Stage two – demonstrating to the “Hard of Thinking” their lack of ability to spot threats

This one can be great fun, especially if your audience is high up within your organisation. To make it fair(ish) have look for someone that is known to your target(s): LinkedIn and other social media is good for this kind of stalking. Then if you have KnowBe4 set up within your organisation, build a spear-phishing email or two. The secret is keeping the message very short and try to cause panic. If you can mange this, then they will probably fall for it before they have time to consider whether your spear-phish is real or not.

Once you have done this, come clean and point out that if they had been trained, they would have known what to look for and probably not fallen for the email.

If stage two didn’t get you sacked:

Stage 3 – Threatening the “Hard of Thinking”

Everything else has failed: You can’t reason with them, they refute that your simulated attack could happen in real life and is therefore not valid, so you are left with the only weapon left in your arsenal: Make the training mandatory under threat of disciplinary action. The full verbal then written warnings, ultimately followed by not having a job anymore.

It is unfortunate but with some people, it is the only thing that works. Let’s hope that you get the first two stages to work and that you don’t need to explore the nuclear stage three approach.

What if your organisation has not even implemented security training yet?

Please contact Brigantia to be put in touch with your local Brigantia Partner who will be able to guide you through getting set up with a fully managed KnowBe4 security training service. Email partnersupport@brigantia.com or call 020 3358 0090 for more details.

About the author

Chris Speight: