StockPhotoPro -

Is this Netflix-style thriller the future of security training?

Cyber awareness specialists at KnowBe4 reckon that bringing Netflix-style production values to corporate videos heralds a new approach to security training

This article can also be found in the Premium Editorial Download: Computer Weekly: Making home working work – a guide for IT leaders

Most people working in a corporate environment will have been made to sit through tedious training videos shot on poor quality equipment using actors charitably described as wooden. Much like the health and safety incidents and accidents they tend to portray, it’s a risk of the job – and, of course, the lessons never really stick.

Leicester-based production company Twist and Shout has been on a mission to change this since the late 1990s. Over the years, the firm has produced “compelling and effective” training videos for the likes of AstraZeneca, Barclays, Deutsche Bank, Michelin, Siemens and Vodafone – as well as, intriguingly, McAfee and Symantec.

However, its latest project, Netflix-style episodic security thriller The Inside Man, possibly ranks as its most ambitious yet, and the people who commissioned it, security training firm KnowBe4, enjoyed the first season so much they not only asked for a sequel, they bought the company.

Over the past decade, KnowBe4 has established itself as a trusted source for organisations keen to increase awareness – much of its training was developed by its chief hacking officer, Kevin Mitnick, who aficionados of cyber security history will remember as the guy with the payphone and the nuclear missile.

But with the best will in the world, even with an ex-hacker like Mitnick on board to spin security stories so far-fetched you might doubt they were true, one thing is painfully obvious: nobody ever bloody listens to security training.

Jim Shields, creative director of Twist and Shout and director of The Inside Man, and Perry Carpenter, chief security officer at KnowBe4, hope to change that through an appeal to emotion over facts. But to find out why they think this approach is a winner, we must first go back a few years.

Clues in comedy

For Shields, the lightbulb moment that training worked better when people felt emotionally invested came almost by accident, when a consultant he was working with observed that he was defaulting to a comedic approach to content creation. Put simply, Shields was accidentally-on-purpose making funny training videos that people enjoyed, even die-hard cynics.

“Even though I’d never worked for a corporation, I was aware the films we were making were fulfilling an employee awareness function, so we started to be brave and use more comedy in that,” says Shields. “Once you open that channel, you can put all sorts of behavioural information in there.”

Carpenter, a specialist in the subject of security training and cultural awareness (he has written books about it), likens the emotional approach to the spoonful of sugar that makes the medicine go down, or more aptly in the cyber security world, a trojan horse.

“There’s something fundamentally human about how people engage in content when there’s emotion behind it, when you embed reasons why you should care about the characters and topics. I wanted to experiment with that to hide the learning inside the overall story,” says Carpenter.

The two men came together when, having enjoyed Twist and Shout’s earlier Restricted Intelligence training resource, Carpenter approached Shields with the idea that they might work together on something.

“I had admired Jim’s work for years, so we set aside time to brainstorm about what we might want to accomplish,” Carpenter tells Computer Weekly.

“Our goal was to create a series unlike anything else that existed in the corporate training landscape. People had been copying the comedy format, so if I was to have Jim create another series along those lines it wouldn’t set itself fully apart.”

Shields adds: “We have a mantra; entertainment first. If you don’t entertain people the story is lost, so the idea was to weave training into a dramatic storyline, rather than putting it front and centre, which pushes the entertainment to the back, which was something we wanted to avoid. We wanted to make sure people wanted to see more.”

The Inside Man

The result was season one of The Inside Man, a 12-part series of 10-minute episodes – each comprising a learning vignette covering, for example, password hygiene, how to spot phishing emails, and so on – that put together takes the form of a feature-length cyber security thriller.

The plot centres on Mark, the titular inside man, a black hat put inside the company by shadowy forces to bring down its systems and compromise its data

The plot centres on Mark, an (at first) socially inept loner, who starts his new job as an IT security analyst at a large corporation. Mark is, in fact, a plant, the titular inside man, a black hat put inside the company by shadowy forces to bring down its systems and compromise its data.

However, as Mark settles in to the day-to-day of office life and starts to make real-life friends, he begins to realise that he might just be the bad guy. After a crisis of conscience, and ably assisted by his new best friend AJ, who knows nothing of Mark’s past, he succeeds in turning the tables on his controller Maurice and stopping the big hack before it goes down.

But as Mark and his colleagues celebrate, Mark’s new colleague (and, perhaps, a possible love interest?), Charlotte, slips away to take a phone call. The hack is back on. Or is it? Season two will reveal all.

Reception to season one of The Inside Man was overwhelmingly positive. Carpenter recounts how at test screenings, one KnowBe4 employee spoke excitedly about how he had observed a paradigm shift in security training. After its release, he says, there have been reports of users binge-watching the available episodes and pestering their security teams to find out how the story ends.

“We constantly get a stream of feedback from security admins saying they now feel like heroes, they have people coming to them for more training,” says Carpenter.

Similarly to how Netflix works, The Inside Man is hosted on KnowBe4’s platform along with the rest of its training content, waiting to be assigned to users by their security admins. In the background, machine learning algorithms toil away to recommend it based on certain criteria, such as for people working in verticals where it has proven particularly popular.

“We feature it online, evangelise it to customers, and get in touch to make sure people are using the platform,” says Carpenter, “[but] the last thing we want an employee to feel is that they have to watch this. We don’t advocate for it being part of mandatory training. Best practice for this is for the organisation to have mandatory security training materials, and people get to watch The Inside Man if they wish to.”

And they do wish to. KnowBe4 has even reported people signing up for its free trial tools, but when contacted by the sales team, discovering that they were ex-employees of its customers who had seen parts of the show at their old jobs, then gone to work somewhere else and wanted to find out how the story ended. “I don’t know that you get that with traditional training, but it’s great for my pipeline,” quips Carpenter.

Future of training

It was in part on this basis that KnowBe4 was prepared to bankroll the second season, and really push the boat out. “We felt brave and bolstered,” says Shields. “Perry was very kind and shared with us lots of comments, and so we were thrilled and excited to see the formula was working.

“It gave us courage to be braver with the storyline. They backed us to the hilt on these grander story arcs, that we would not have thought of suggesting in season one.”

Fans of the show will be pleased to know that as season two drops, work on season three has already begun, and KnowBe4 has approved a multiseason arc.

“It’s exciting,” says Shields, “because we can build a more in-depth story and take viewers on a rollercoaster ride over multiple seasons.”

Read more about security training

Read more on Security policy and user awareness

Data Center
Data Management