It’s something we all know instinctively, if a whole load of new information is thrown at you, your recall of it will be somewhat cloudy one week later. This is exactly what German psychologist Hermann Ebbinghaus showed back in 1885 when he developed the forgetting curve. Though his research is over a century old now, the principle remains true today. Most of what you learn will be forgotten within an hour.

Security training

This may help explain in part why people are still falling victim to phishing attacks. Did their security training consist of being herded into the break room for a lunch and learn while being shown a bunch of slides on how to recognise the signs of a phishing attack? Was that the entirety of their security training for the last 6 months? If so, as Ebbinghaus showed, memory retention will be down around 20%, so mistakes and clicks will be made!

So how do you get around this? Well, Ebbinghaus also showed that revising the information frequently greatly enhances the newly learned information. Translating this to security awareness training, we can see that training must be repeated frequently; think short snippets every month rather than a 1-hour presentation every 6 months.

security training new zealand

Here at Simplify Security, that is exactly what we believe. Our Managed Security Awareness training is done in short, sharp doses. We recommend once a month. What Ebbinghaus hadn’t yet discovered back in 1886 was the power of storytelling and engaging content which greatly enhances the memorability of information. Facts listed as bullet points are soon forgotten but a story can engage many areas of the brain from the motor cortex, sensory cortex and frontal cortex, making recall much stronger.

If you are still experiencing people clicking on phishing emails, it’s time to evaluate your security training. Make sure it’s delivered often in short doses with engaging content to enhance memorability.

Recent blog posts

Possible Okta Breach By Threat Actor

Okta has provided additional information on the timeline of the incident affecting their services. In summary, the Okta service confirmed the breach by Lapsus$ group yesterday. As per Okta has confirmed 'The Okta service is fully operational, and there are no...

UPDATE: CVE-2021-44228 Apache Log4j 2 RCE – log4shell

UPDATE: CVE-2021-44228 Apache Log4j 2 RCE – log4shell

Since the news of this critical RCE (CVE-2021-44228) in Apache log4j was made public on Friday, Simplify Security's MTR team has been investigating activity to improve detection and response capabilities. As a quick summary, this vulnerability results from how log4j...

CVE-2021-44228 Apache Log4j 2 RCE – log4s

CVE-2021-44228 Apache Log4j 2 RCE – log4s

On December 9, 2021, the Apache Log4j project’s GitHub publicly disclosed a high severity vulnerability that impacts Apache Log4j 2 versions 2.0 to 2.14.1.   The vulnerability allows for unauthenticated remote code execution on Log4j 2, an open-source Java logging...