When I started Rethink Compliance in the summer of 2015, one of our first clients was Threat Ready Resources, a new company founded by some former colleagues who were intent on launching a better cybersecurity training company.
Threat Ready was launched from a few key observations:
- Most corporate cybersecurity strategies fail to address the human factor. With the dawn of the Internet and linked devices, companies initially focused on technical safeguards. This made sense. Of course they needed to start with things like firewalls, intrusion detection, and other network protections. But as cyber criminals got sneakier and more sophisticated—running phishing schemes on average employees, impersonating CEOs, hacking into companies by attacking the menu sites of popular nearby restaurants—all those technical safeguards weren’t enough. By 2014, one survey by IBM and the Ponemon Institute found that 95% of security incidents were caused by human error. Or, as one expert put it: “If you design a great car but people keep driving it into a building, eventually you have to take a look at the driver.”
- Most corporate training programs are designed for defensibility—not effectiveness. You wouldn’t think that moving from corporate compliance training to cybersecurity would be a huge leap. After all, both involve a set of risks linked to employee behavior—risks that good training can reduce. But as we worked to develop a product strategy and then build out the products, one thing became glaringly obvious: If there’s a cybersecurity breach, you don’t get any credit for effort. Unlike a compliance worst-case scenario, most of the consequences for a data breach happen outside of the judicial system—company assets are destroyed or held for ransom; companies must spend an average of $4-$6 million to identify and repair the breach; reputation and stock price take a hit, affecting business over the long term (just ask Target). If that happens, it won’t help if you had a great training program on paper. Training has to work or it’s worthless.
And yet, despite this, the leading cybersecurity training companies at that time were peddling longer, “one subject at a time” training products that were actually best suited to provide defensibility—in other words to provide their clients with proof of training activity. No one was talking about effectiveness or trying to measure their current training efforts to identify gaps and devise improvements.
Which is where Threat Ready saw an opening.
I was fortunate to be able to meet with Roediger to talk through his research and start to understand how his insights might be applied to create better, more effective employee training. Those insights are baked into the Threat Ready curriculum, and in this four-part blog series, I’ll discuss what Roediger’s research shows and how compliance teams might apply those same insights to create a better compliance learning program.
(Full disclosure: As part of my initial involvement, I became a shareholder and part-owner in Threat Ready, so I hold a financial interest in the company.)
The Science of Learning
Roediger and his co-authors open their book with a startling statement: Most people—and most schools, companies, and other learning providers—are going about learning the wrong way.
They write: "[R]esearch into how we learn and remember shows that much of what we take for gospel. . . turns out to be largely wasted effort. . . But there’s a catch: the most effective learning strategies are not intuitive."
As the authors write: “The good news is we now know of simple and practical strategies that anybody can use to learn better and remember longer.”
Make it Stick spans a number of topics, four of which are especially relevant when designing compliance learning:
- To learn, retrieve.
- Mix up your practice.
- To extend learning, use retrieval cues.
- For better effect, prime the mind for learning first.
We’ll cover the first insight in today’s post.
Insight 1: To Learn, Retrieve
Studies show that, when we learn something, there’s an initial, large drop off followed by a slower erosion. Typically, 70% of what we’ve learned falls away quickly, and the remaining 30% disappears more slowly over time.
One way to combat forgetting is to make memories stronger and more durable in the first place—we’ll cover some ways to do that in future posts.
But another way to make learning stick is to interrupt the forgetting curve. The best way to do that?
Test your learners.
According to Make it Stick: “Even a single test in class can produce a large improvement in final exam scores, and gains in learning increase as the number of tests increase.”
As the authors explain, retrieval is like exercise for the brain. Any type of practice or recall is better than none, but some factors are especially effective:
- Focus on active practice, not repetition: Asking someone to review material they’ve seen before is much less effective than creating a situation where they’re forced to put that information to use—ideally in new applications, which leads the brain to make new connections and associations with the material.
- Introduce a delay: The further down the forgetting curve someone has progressed, the harder it will be to recall the material—and the stronger the resulting memory will be after they retrieve. This doesn’t mean that quizzes or test questions have to be hard to be effective! In fact, simply delaying a test will create enough difficulty to strengthen the memory.
- Test more than once: Make it Stick suggests spacing out retrieval activities over time: “Pilots, quarterbacks, and surgeons can tell you: Repeated retrieval can so embed knowledge and skills that they become reflexive: The brain acts before the mind has time to think.”
- Wait to give feedback: Feedback strengthens retention even more than testing alone. Studies show that feedback with a slight delay (for instance, after an entire test is finished) leads to better learning retention than immediate feedback (for instance, after each individual question).
So how can compliance programs put this insight to use?
- More tests, more often: Create and deploy regular compliance quizzes, maybe 3-5 questions each. Ideally, make these a form of active practice—pose a scenario, ask learners what’s wrong in the situation and what they should do. Then give feedback that reinforces correct choices and explains inaccurate ones. If you vary the scenarios over time, you’ll embed the learning concepts far more deeply than “one and done” training can offer, even when it includes a test at the end. And if you cover several different topics in one quiz, you’ll leverage the phenomenon of interleaving (or “mixed up practice”), which we’ll cover in the next blog post.
- Train by testing: Let’s say you have to train on bribery each year, but you don’t have the time or the budget to launch a new course. Instead of just sending out last year’s course (which the Make it Stick authors would call “repetition”), consider developing a new test that covers the same material, with feedback on any questions that learners get wrong. Still want the audit trail of annual training? Send out the test first and the course second. You’ll get the learning benefit of delayed retrieval, and the test will help you trigger the phenomenon of priming, which we’ll cover in a future blog post.
- Make tests harder: Multiple choice questions have their place—and they’re better than nothing! (Any kind of retrieval benefits learning.) But tests that require more effort (e.g., fill in the blank) are even more effective than multiple choice or true/false options.