Security Training and Ebbinghaus’ Forgetting Curve

There is a problem with training users outside of the security field. People forget things, so no matter how much we might try to teach them about warning signs there is always a limit. For those who work in security, it is sometimes hard to relate to the problems people outside our domain might have with retaining training. Not only do we tend to take various points as common sense, but we also forget how difficult it is to understand deliberate breaches of the social contract.

In addition, if we’re completely honest with ourselves, we forget to check things as well – it’s just that the regular exposure to incidents that increase awareness means that these points get thoroughly burned in.

Forgetting training

It is very difficult to work out exactly how much of an impact this has. I’m gathering data on security awareness training and prevalence of successful exploitation of the human attack vector. This data is challenging to gather, as many companies consider it sensitive and are unwilling to share. Even where they are willing, many don’t collect the data in the first place. If anyone is willing to contribute data towards this effort, please get in touch.

Psychology has tried to measure a theorized forgetting curve for over a century, with mixed success and no clear consensus. While the debate continues the generally measured curve does tend to adhere to the same shape. To summarise, people tend to forget information fairly quickly – nearly half of whatever they have learned within hours of learning it, but some is retained for a longer period and repetitive learning helps to reinforce recall .

Implications

This implies that at the least, the normal annual model of security training is not remembered beyond a few weeks – let alone modifying user behaviour. Since we’d expect attackers to use their most successful and efficient attack vector, we can draw some conclusions from any increases in attacks against the human vector. So it’s quite notable that from 2015 to 2016 there was an approximately four-fold increase in spam, along with a significant increase in malicious attachments to spam. I’ve seen nothing to suggest that this year will be any different .

The upshot of this is that depending on training patterns I expect to see changes in cyber security instances against the average. I’m looking forward to testing this idea if I can gather enough data.

Solutions

Training companies offer solutions to this problem, many of which are shown to be effective in at least the short term. The important takeaway is that any training must not be a one-off campaign, but must be continuous to reinforce the habits of security in users .

The Ebbinghaus’ forgetting curve suggests the best pattern starts out as a fairly regular prompt, with larger delays between training sessions, tests, or any other method. While continuous heavy investment in training may also be effective, the curve suggests that it will not offer any more return on investment over a carefully structured program. In addition, an annual program is almost certainly not enough to show any long-term changes to decision-making.

The other note, less important for a continuing training campaign such as phishing and worth remembering for lectures, workshops, and presentations is the Primacy/Regency effect. Simply put this is the idea that the first and last content in any presentation is most effectively remembered. 

Hopefully, more data on training and the long-term effects of it will become available – until then this is only theory. Security awareness training programmes must be carefully considered and not simply a check box exercise for compliance. At least if a company wants employees to actively protect both it and themselves.

Humans are any company’s biggest attack surface. The right training and education reduce the attack surface substantially. Nowadays anything that reduces the risk of a cyber security incident is worth considering carefully, and as a bonus, better-informed employees are likely to make better decisions outside their professional domains.

References

If you or your company are willing to help by contributing data to the research effort on this, please get in touch. Leave a comment or jump onto the contact page to discuss it. Any resulting research will be publically available, with data and sources anonymised for obvious reasons.

Join the discussion