A lot depends on why you think you’re training people. That motivation comes through in the attitude. And that attitude has a lot to do with how successful the training is. By my estimate, there are any number of nuanced attitudes but they more or less gravitate to one of three motives:
- We’re training you because we need to. We ain’t compliant until you are trained so sit down, log in and take the course.
- We’re training you because you are a threat. Our users are our weakest link and so you need to be taught how to be less vulnerable to attack. We need you to pay attention to keep our data safe.
- We’re training you as a service to you. Training is one of the many tools we provide you with to be safe in the workplace. If we invited you to tour an active construction site, we would give you a hard hat to wear to keep you safe. Yes it would be to comply with OSHA regs and yes it is required to protect ourselves from liability, but in the end, it is your safety we are looking out for.
Of course, I see the third option as the only viable one. Telling a user that they need to be trained to check a box on a compliance report is the surest way to get them to tune out. Telling a user they have a responsibility to the organization to protect it and they may not talk back to you but they will look at their job title and think “doesn’t say I’m a security officer.”
Our motives for training people are reflected in the tone the training takes and in how it is presented. It’s worth being careful about it.