The Need for Simulation and Situational Awareness in Cybersecurity Training – A Neuroscience Perspective

Organizations are more vulnerable than ever to cybersecurity threats. Global annual cybersecurity costs are predicted to grow from $3 trillion in 2015 to $6 trillion annually by 2021. To stay safe organizations must train their employees to identify cybersecurity threats and to avoid them. To address this, global spending on cybersecurity products and services is projected to exceed $1 trillion from 2017 to 2021.

Unfortunately, cybersecurity training is particularly challenging because cybersecurity is more about training behavioral “intuition” and situational awareness than it is about training a cognitive, analytic understanding. It is one thing to know “what” to do, but it is another (and mediated by completely different systems in the brain) to know “how” to do it, and to know how to do it under a broad range of situations.

Regrettably, knowing what to do and what not to do, does not translate into actually doing or not doing. To train cybersecurity behaviors, the learner must be challenged through behavioral simulation. They must be presented with a situation, generate an appropriate or inappropriate response, and must receive real-time, immediate feedback regarding the correctness of their behavior. Real-time, interactive feedback is the only way to effectively engage the behavioral learning system in the brain. This system learns through gradual, incremental dopamine-mediated changes in the strength of muscle memory that reside in the striatum of the brain. Critically, the behavioral learning system in the brain is distinct from the cognitive learning system in the brain, meaning that knowing “what” to do has no effect on learning “how” to do it.

Cybersecurity behavioral training must be broad-based with the goal of training situational awareness. Cybersecurity hackers are creative with each attack often having a different look and feel. Simulations must mimic this variability so that they elicit different experiences and emotions. This is how you engage experiential centers in the brain that represent the sensory aspects of an interaction (e.g., sight and sound) and emotional centers in the brain that build situational awareness. By utilizing a broad range of cybersecurity simulations that engage experiential and emotional centers in different ways, the learner trains cybersecurity behaviors that generalize and transfer to multiple settings. Ideally, it is also useful to align the difficulty of the simulation to the user’s performance. This personalized approach will be more effective and will speed learning relative to a one-size-fits-all approach.

If your organization is worried about cybersecurity threats and is looking for a cybersecurity training tool, a few considerations are in order. First, and foremost, do not settle for a training solution that focuses only on providing learners with knowledge and information around cybersecurity. This “what” focused approach will be ineffective at teaching the appropriate behavioral responses to cybersecurity threats, and will leave your organization vulnerable. Instead focus on solutions that are grounded in simulation training, preferably with content and delivery that is broad-based to train situational awareness. Solutions that personalize the difficulty of each simulation are a bonus as they will speed learning and long-term retention of cybersecurity behaviors.