Tuesday, 14 July 2020

Designing an Information Security Campaign

For the past few months, I've been kicking some compliance training ideas around in my head. Since my memory is less than perfect, and (more importantly) since these ideas help nobody while they're inside my head, I've taken some time to put them to paper (literally). Then I had to to spend a little more time deciphering my chicken scratch.

In order to give them some coherence, I've organized them into a sample compliance program based around information security.

Here's what I have for you so far.


Key Considerations
  • Frequent “top-ups”, to help keep the information fresh. There’s something happening every month. This also reinforces that information security is an ongoing activity, not a “one and done” event.
  • Quick hits. Although there’s something happening every month, none of it is long.
  • Real KPIs (Key Performance Indicators), based on information security red flags and actual incidents, not on vanity metrics (such as course completions or test scores).
  • Real-world tests, because life doesn’t ask you multiple-choice questions. 
  • A course, but not always, not for everybody, and not necessarily all of it (more on this later).
  • As needed, if needed support elements.
  • Story-based delivery. The "When Spies Attack" series illustrates information security concepts in a narrative-driven manner.
  • Variety. Some years “When Spies Attack” will be a comic, other years it’ll be a podcast, maybe it's an episodic game another year.

Wednesday, 7 August 2019

Canadian eLearning Conference 2019

Last month, I attended the Canadian eLearning Conference in Toronto, Ontario. It's been on my watch list for several years (from back when it was the EACH Conference), but I was finally able to make it this year.

Conferences can be definitely expensive, between the registration, travel, accommodations, and meals. That said, I love going, and here's why:

Friday, 5 April 2019

Let's Make Compliance Training More Efficient

Can We Do Something About Compliance Training?
Please!


I've been thinking about compliance training lately. 

Thinking about how everybody loves it. About how much people look forward to it. About how people are constantly breaking down my door asking to take more of it. It's costing me an arm and a leg in hinges!

Speaking of costs, has anybody done the math on how much it costs companies to put all their employees through annual compliance training?
Suppose we take a fictional company with 1000 employees who are paid an average of $50,000 per year. For every hour of training those employees go through, the company has to pay out over $24,000 in salary - without getting any productive work in return.

I know compliance is important. You can all put those pitchforks back down. I don't want to do away with it. I would, however, love to see us (as an industry) make compliance training more efficient. To that end, I have a few crazy ideas I'd like to share with you.

Crazy Idea #1: Shorten annual re-certification
Maybe we can replace annual re-certifications with something shorter? Imagine you're a new hire with Company X. In your first few weeks, you take an anti-harassment course. The L&D team did a wonderful job. The course is beautiful, it's engaging, and it's focused on what you need to know.
Fast forward twelve months, and it's time to re-certify. You load up the LMS, quivering with anticipation, eager to see what this year's anti-harassment course will look like. It looks like last year's course. Last year's course looks like the previous year's course. And so on. After 20 years, you'll be able to recreate the course from memory. After 5 years, I very much doubt you're going to learn anything new.
What if we did the full fancy course for new hires, then gave people options for re-certification? They could complete the courses again, or they could read the policy and sign (physically or digitally) an form agreeing to abide by it.

Crazy Idea #2: Target the people who need it
Wouldn't it be great if we could know who really needed the training and target them specifically? For example, if we knew who was most likely to take a bribe (before they actually did) we could give them anti-bribery training to prevent it. If you want to get really fancy, you could use predictive analytics, but there are simpler ways.
Do you recall those stories about researchers leaving thumb drives out and monitored how many people plugged them into their machines (48% at a university and 60-90% at government buildings and private contractors)? Why not work with IT to run a similar test? Anybody who plugs in the thumb drive gets enrolled in the computer security course.
Worried about physical office security? Maybe you can hire some mystery shoppers to try shoulder surfing or piggybacking. Based on how people react, you have a pretty good idea of who needs training to recognize and deal with social engineering. As a bonus, this is a more accurate test than a eLearning course (after, who worries about offending the characters in a course?).

Crazy Idea #3: Make it adaptive
What if people got a customized version of their compliance courses?
People who know their stuff get to breeze through quickly, while those who need a little more coaching get the attention they need. You can do this with an adaptive course.
For example, you might have a pretest, then tailor the course based on the results of that pretest. Alternatively, you might have checkpoint activities in the course, then branch out depending on how people handle them.
If you'd like to learn more, I encourage you to check out this article. If you're going to be in Toronto in July 2019, you may also wish to come to the Canadian eLearning Conference, where I'll be facilitating a hands-on session to teach people how to make their own adaptive courses in Articulate Storyline.

Tuesday, 6 February 2018

An Idea for Measuring the Effectiveness of L&D



Is it just me, or is nobody talking about measuring the effectiveness of Learning & Development? 

Don't get me wrong, there are plenty of options for (and discussion about) evaluating attendance and completion (aka: butts in seats), reaction, learning, behaviour, results (Kirkpatrick's Levels 1-4), and even return on investment (or ROI, Phillips' Level 5).

That's all well and good, but it's also strictly transactional. All we're evaluating is a single course, intervention, or program.

Why aren't we measuring the L&D function as a whole?


Measuring the effectiveness of L&D

Tuesday, 30 January 2018

Roll the Bones in Storyline 360 - A Rolling Die Interaction


Roll the Bones in Storyline 360


Ever since Articulate announced the random number feature for Storyline 360, I've been kicking around various ideas for using it - I'm sure many of you have as well.

I'm thinking my first project will be a board game. A key element of many (most?) board games is rolling dice, so I wanted to include an animation of the dice rolling. 

Unfortunately, I'm no animator. I did some Google-fu and came up empty. If you can't find something online in five minutes, it might as well not exist.

So I made the animation myself, in Storyline 360 - using only standard features (no JavaScript, no video editing). Here's what it looks like in action: 

Sunday, 12 November 2017

DevLearn 2017 Recap 1: Building an Adaptive Course in Storyline


It's been two weeks since DevLearn 2017, and I'm still collecting my thoughts.


To get things going, here's a recap of the session I facilitated, number 715 on the agenda: "BYOL: Building an Adaptive Course in Storyline".

The four objectives of the session were to learn how to:
  • customize course content based on pretest results
  • show remedial content only when needed
  • end the final test early—as soon as the learner passes or fails
  • make your course adjust itself based on learner performance
We'll do all of it, without any JavaScript, coding, or magic.

Are you sitting comfortably? Then we'll begin.


Sunday, 15 October 2017

DevLearn, Here I Come!


Next week is DevLearn 2017, the eLearning Guild's biggest conference of the year, and I couldn't be more excited.

This is my first time attending DevLearn, and only my second time attending a conference. I attended Learning Solutions Conference (LSCon) in March 2016 and had a blast. So many sessions! So much to learn and bring back to my work. Also, I got to meet many people I've only interacted with via Twitter. By all reports, DevLearn should be similar, only more. Also, there's a stronger technology focus, which fits nicely with my role and my interests.

So, what am I looking forward to most? Well, everything. Here's what I mean: