Evaluating Skills-Based Training for Employee Risk Recognition and Reporting of Malicious Elicitations – IN PROGRESS
By virtue of their access to personnel, facilities, and information, employees present an opportunity for intelligence collectors, news entities, and industry competitors to expand their knowledge about an organization’s technology, capabilities, or vulnerabilities. Employees must balance day-to-day work duties and expectations alongside organizational duties and expectations related to recognizing risks posed by malicious elicitations (i.e., maliciously extracting privileged information from an employee). Risk recognition and reporting behaviors require a set of cognitive skills to recognize a risk, interpret the type of risk, overcome barriers to reporting, and report through appropriate channels in a timely manner. This research study develops, tests, and evaluates whether a new training approach, known as a skills-based training model, improves real employee performance in risk recognition and reporting of malicious elicitations compared to the current awareness training.
Government and industry employees are currently trained to recognize and report risk using an awareness-based training model. It is also often annual, virtual, and self-paced. The awareness and information-based training model has several limitations including: (1) poor information retention by employees, (2) employees fail to recognize risks after training, and (3) employees fail to apply the information in the real world when exposed to actual risks. An alternative model is skills-based training. Skills-based training models focus on the implementation of specific skills and behaviors. Skills-based training was developed through the study of skill acquisition. Learners are expected to spend training time engaged in hands-on real-life activities to learn, develop, and practice skills. Skills-based training aims to make learners proficient in the skill and to equip them with the confidence required to competently apply that skill when necessary. Compared to awareness-based training, skills-based requires practice and feedback, is shown to preserve and even improve learning over time and improves recognition of real-world situations where the learned content can be applied. Given the potential for the skills-based training to improve risk recognition and reporting beyond that of awareness-based training alone, This research study examines the primary hypothesis that skills-based training leads to more effective risk recognition and reporting behaviors than awareness-based training.
To adequately measure whether skills-based training improves employee performance in risk recognition and reporting, it is necessary that risk behaviors for training are representative of most concerning risks to an organization and occur with enough frequency to be reported. This study will focus on improving risk recognition and reporting of malicious elicitation, which requires being able to differentiate it from professional networking. Employees need to be able to recognize and report interactions that look sufficiently different from what would be considered “normal professional networking” to recognize when an interaction with someone that is unexpected or unplanned is actually malicious elicitation. The study will measure whether skills-based training increases an employee’s ability to distinguish between social and professional networking and malicious elicitation.