M+E Europe

Xcapism Learning’s immersive and gamified approach to cybersecurity and privacy training shows what it takes for people to retain up to 90% information they are given and truly influence positive behavioural change and culture in the workplace, according to Meera Mehta, CEO and co-founder of Xcapism Learning.

People generally only remember up to 30 percent of information they are given through traditional communications and awareness at work, she pointed out during the breakout session “Hack to the Office” at the June 29 Content Protection Summit Europe (CPS EU) event, citing data from National Training Laboratories Institute for Applied Behavioural Science.

That 30 percent is for demonstrations, she said, noting audio-visual info only results in 20 percent remembered, reading 10 percent and lectures 5 percent. That is because “you’re not fully engaged” with such learning, she told viewers. And that means “you’re unlikely to change your behaviour going forward,” she warned.

The numbers are much better for learning while practice doing what is described (75 percent) and teaching others by passing along such info as how to identify phishing emails (90 percent), she pointed out.

For training to be effective and “have a positive impact on behavioural change, you really need to be aiming for at least 75 percent retention,” she said.

“Let’s be honest: How many of you here today can say that you and your teams enjoy cybersecurity training and privacy training?” Mehta asked rhetorically at the start of the session. “This isn’t a live session where any of you can answer but I’m guessing not many.”

Noting that Xcapism took feedback from colleagues that it previously worked with, she said, “they told us that they wanted something fun, engaging and immersive.”

To meet that demand, the company decided to “give the people what they want,” she said, adding: “We took the traditional methods and made them better.”

Until now, traditional training and awareness has been made up of Intranet articles, text, images and “a bit of video content in a traditional style which can be seen as plain,” she noted, explaining: “These generally list the security threats and what you need to do, and sometimes use our good old friend, the guy in the hoodie, to put the fear of God into you. You can also have live demos, slide presentations, hear from a speaker and you might even be able to see a live hack. Then you’ve got the good old mandatory training, which shows text detailing threats, examples and steps you should take to head them off, generally followed by a test.”

However, many people at companies “told us that they keep clicking ‘Next’ until they get to the end, without paying any attention to the actual content,” she told viewers, adding: “Let’s face it. This is not truly learning…. There is nothing wrong with the content within these methods of training but it is the delivery that is absolutely key.”

In addition, “how much are people actually going to remember” when it comes to traditional education approaches, she asked viewers.

On top of all that, “keeping the fires alive with learning is hard enough when everyone was in the office but now a bunch of companies have adopted what seems to be a fairly successful hybrid working model where the majority of people are working from home and only a few going into the office on a need-to-go basis,” she pointed out.

As a result, “cybersecurity has never been so important,” she said, explaining: “It’s crucial to make sure that any learning that is given in any subject doesn’t just tick a compliance box but is actually learned and understood by colleagues as they are the first line of your defence. To influence change, the first thing to look at is are people retaining the information being given to them. If they are, they’re actually more likely to act on it.”

There are a few reasons why practice and gaming are effective in training, according to Mehta. The first principle is discovery, she said, noting her company’s training does not require anybody to “have any prior knowledge of cybersecurity or privacy but, instead, we give them a sense of lateral thinking challenges using everyday objects as an analogy for cyber and privacy threats.”

When people are discovering information, they are “already engaged and retaining knowledge without even knowing it,” she told viewers. Making the content immersive and engaging with a story in which one puzzle leads to the next puzzle and “there is a defined goal at the end” makes the training even more effective, she noted.

She went on to demonstrate how that is done with the title Breakout: Cyber Escape Room.

Xcapism learned, however, that not everybody is ready for an immersive experience like that so the company created more “bite-size” content to “please everyone” with short, static comics that retain the information and message of the games, she said. The company also created short newsletters that provide people with new information, she noted.

There are “a bunch of games we’re working on at the moment and next up, which will be coming very, very soon, is our Hack to the Office games” that will focus on reminding people what “good cyber and privacy hygiene” are as they increasingly return to their companies’ offices, she added.

Content Protection Summit Europe was presented by Convergent Risks, with sponsorship by Richey May Technology Solutions, Synamedia, BuyDRM, Friend MTS, NAGRA, and X Cyber Group.

The event was produced by MESA, CDSA, the Hollywood IT Society (HITS) and Women in Technology Hollywood (WiTH), under the direction of the CDSA board of directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group.