A study involving 355 university staff — students, faculty and staff — showed that adding mindfulness instruction during technology security training is much more effective than adding rules.
That’s because when information becomes repetitive, it creates the feeling that “‘you’ve got it all figured out,” which in turn leads to inattention.
During the study, they separated three groups: one that received rule-based instructions, another that received no instructions at all, and a third group that received mindfulness-based instructions, such as:
Take a break when an email demands action;
— Consider the nature, timing, purpose, and how appropriate the requested action is;
— Consult a third party if there is anything suspicious;
Some time later, they sent a test attack:
— 13% of those in the first group fell for the attack;
— 23% of the second group, too;
— Only 7% of the members of the third group fell.
Have you really been preparing your employees to prevent cyber attacks, or do you just fill them with rules from time to time?