Cybersecurity Training in the Magic Kingdom

What would be the most uncomfortable place to have a stranger approach you and bring up knowledge of your personal life? An elevator? A public bathroom? Bathrooms (especially public/work restrooms) represent a nearly universal uncomfortable human experience. It seems as though as soon as we swing open a bathroom door, our default behavior is to go silent and avoid eye contact, let alone engage in personal conversations.

So when I was creating a video on the topic of social media privacy and wanted to immediately make the audience squirm, I knew which location to choose: a workplace bathroom. It was an overwhelming success.

Let me back up: I had just been hired for the role of Security Awareness Manager for Disney and my first major project was to update the annual required security awareness training that was assigned to every single employee. This is one of a few mandatory trainings most companies are required to deliver to employees.

I had several immediate concerns with this:

• The topics were boring (for most non-cybersecurity analysts) and technical
• Everyone would need to complete the training…even Disney CEO Bob Iger would be assigned the training. Everyone.
• The general user at Disney has a very discerning eye, considering they are responsible for creating experiences like Frozen, the Marvel universe films, ESPN, Disney’s theme parks & resorts…needless to say the baseline for entertainment expectations was rather high.
• The available training content in the market was drab, boring, and completely overwhelmed the user with information.

After exploring a handful of vendors and finding that I (as the would-be training content owner) couldn’t complete the trainings without tuning out, nodding off, or multitasking, I went back to the drawing board.

When you’re given the opportunity to work for the “house of the mouse,” you get a unique glimpse into how such a massive corporation operates, and the countless processes and formulas its employees use to ensure quality and consistency of product. At the same time, I had just started learning about behavioral psychology and neuroscience: I was interested in understanding how humans learn, what motivates us to choose different behaviors, and more importantly, how to influence those choices so that people would, for instance, complete a cybersecurity training or change risky cyber behavior.

A recurring theme in a lot of the books and podcasts I was devouring was how important storytelling is to engaging an audience. I was in the belly of the ultimate storytelling beast! I began to pay attention to storylines, arcs, and specifically, themes and learning moments across different Disney films (most significantly feature-animation).

What I began to notice was a consistent pattern, whether it was a Pixar original like “Inside Out” or Disney’s “Frozen”, or even “Guardians of the Galaxy.” Disney masterfully embedded a few life lessons (or learning moments) into each film. Using character arcs, which refers to the transformation or inner journey of a character over the course of a narrative, the audience would follow the stories of three to four – a hero, sidekick, and villain for example. Over the course of 90 minutes, each one of those characters learns something. And through this storytelling technique, the audience is learning those same lessons.

My evaluation suggested that Disney, in all its infinite wisdom and likely hundreds of millions of dollars in market research, has concluded that the average audience can digest one lesson every 30 minutes or so.

What I began to notice was a consistent pattern, whether it was a Pixar original like “Inside Out” or Disney’s “Frozen”, or even “Guardians of the Galaxy.” Disney masterfully embedded a few life lessons (or learning moments) into each film.

But when it came to the information security industry and security awareness training, I found some very different statistics: the average compliance training was averaging 60 minutes with 7-10 topics, each containing 3-5 learning points. It seemed that infosec training designers had come to very different conclusions about their audience than Disney market researchers: that the average employee can process 30 pieces of information in 60 minutes, or one new piece of information every two minutes sustained for an hour. Now, I’m not one to make assumptions, but I’m willing to bet the market research Disney did versus what the vendors in the infosec space did were probably not equal.

With this realization, I decided to focus on creating training content that was more consistent with the Disney formula. Instead of relying on any externally produced content from outside vendors, I wrote the scripts, came up with the scenarios, and included the learning takeaways in a way that resembled a movie or TV show. The first video we produced and released went viral internally—meaning that my coworkers were sharing it across internal social platforms, and it racked up nearly 20,000 views. The average number of views for other internal videos hovered around 1,000. Set in an elevator, we used humor and realistic awkward conversation to discuss the importance of social media security settings. In a 2-minute video, we told a story where the audience learned how what they shared on social media was public to people they didn’t know. The actor portraying the very serious business person distracted on his phone was taken by surprise that the goofy, warm coworker in the elevator with him knew about his neighborhood, his vacation plans, his pets…all in a very humorous exchange.

The intended behavior change was to set your accounts to be private. It was funny, genuine, and more importantly, memorable.

We continued this approach – creating short, funny, 2-3 minute live-action videos to deliver reinforcement moments, paired with slightly longer (4-5 minute) animated videos that discussed each concept a little more in depth. So, what happened next? More people completed the training, and they did it faster than before ( i.e., with fewer follow-up emails).

With this realization, I decided to focus on creating training content that was more consistent with the Disney formula.

People were actually tweeting about the training (it helped that we had Mark Hamill voice over the animation). Using anonymous follow up surveys, employees were showing behavior change (in some cases 80+% of those surveyed who viewed the elevator video stated they had changed at least one privacy setting on a social media account).

Importantly, people were talking about the video, laughing about it, and asking to share it with friends and family.

Lest it seem like I’m just jumping to the happy ending without sharing more about the challenges I went through and the lessons I learned in my own character arc, I’ll say this – it wasn’t a simple path. Along the way, I had plenty of roadblocks, concerns, and objections.

Leadership, for instance, was concerned it would be “too fun” and “not serious enough” to tell the types of stories I wanted to tell. Others worried that my approach didn’t address all the different learning styles — for instance, the research suggesting that Baby Boomers may process information and learn differently than millennials. Some stakeholders wanted a lot of gamified elements and “click to learn more” engagement tactics.

I listened to these concerns, and then I took a step back and looked at how, as a society, we were choosing to consume information and entertainment. Most of us seek refuge in our phones as soon as we have a free minute: red lights, standing in line, during meetings -- and often what we’re consuming is short videos. It’s how we like to digest information. So, why not deliver the training in the same way we preferred to consume information in our personal lives?

LIkewise, I appreciated and considered all of the research and studies that point to one method of learning over another. However, when you’re dealing with a topic that is from the start not interesting and often looked at as a requirement, forcing engagement and gamifcation elements into that topic usually fails. On the other hand, it’s hard to distract someone from a good story. My biggest lessons: Keep it short. Keep it humorous. And focus on storytelling and conversational dialogue.

The art of storytelling is crucial to security awareness, and being able to do it in an engaging way is a skill that will carry a corporate awareness program to success. Since seeing the impact of this across many topics, I’ve made it a point to implement storytelling every way I can when I deliver information, whether I’m speaking at a conference, writing scripts for new videos, blog posts (ahem), or just engaging in conversation on LinkedIn and Twitter. My personal character arc has led me to realize the power of simple and relatable conversation, and how to approach a discussion from the user experience and really focus on what the story is.