The difference between training and learning

A security awareness training program is only as strong as the lasting outcomes it creates: changed behaviors based on lessons learned. For students of a program to internalize the lesson material in a way that creates real behavior change, the program needs to focus on moving from training to learning. 
 

1. Training is a check-the-box activity, while learning is a critical thinking exercise.

Training program curricula are developed to ensure that employees are taught a set number of things over a given number of days. To complete the training, employees just need to complete each lesson and exercise, and then go back to their daily routines. By contrast, learning isn’t just checking the box to complete an activity, but rather using critical thinking skills to apply those lessons to their work. Training happens when the employee absorbs new knowledge, while learning happens when the employee applies that knowledge. 

2. Training is short-term, while learning is long-term.

You know the saying: “Give a man a fish, you feed him for a day; teach a man to fish, you feed him for a lifetime.” Cybersecurity training is a short-term commitment that can be measured in days, weeks, or months. The lessons learned from the training, on the other hand, should lead to good cyber habits that last for a lifetime. 

3. Training is a process, while learning is driven by outcomes.

To measure the success of a training program, many companies look to the completion rate. Did all of the employees required to complete the training actually do so? Was the process followed and were the steps executed effectively? While those metrics are important, what’s even more important is the value that the learner gains from completing the training. What are the lasting outcomes? What did they learn? In our case, the learning is demonstrated in their behavior change: reducing risky behaviors online, avoiding suspicious emails, or reporting security incidents.

4. Training is focused on the “what,” while learning is focused on the “how.”

To optimize a training program, facilitators must think about what lessons should be included in the course. To optimize learning outcomes, facilitators must focus on how students will retain that information and in what ways they can create long-term behavior change.

5. Training fulfills company goals, while learning should fulfill personal goals.

Learning—particularly cybersecurity learning—needs to be a personal goal, not a “work” goal. Expectancy-value theory says that motivation to learn comes down to 1) the learner’s expectation that they will perform a task well (the higher that expectation the more motivated they are) and 2) the value of that task. To get employees to feel like security awareness learning is a personal goal, security awareness training programs have to tap into employees’ personal motivations. Frequent quizzes help students quantify how well they are doing their cybersecurity “tasks” and can increase their expectations of doing well. And offering engaging, useful, relevant, and time-effective training content helps to ensure that employees look forward to learning good cyber hygiene habits each month.
 
In conclusion: Cybersecurity learning means that employees are putting their training into practice to keep the company safe from real-world threats. Companies that build their cybersecurity platform around the facilitation of long-term behavioral change among employees will eventually develop a robust and permanent cyber-aware culture.
Learn more about training vs. learning here.