19 January 2024

Significance of the forgetting curve in security awareness

The forgetting curve by Hermann Ebbinghaus (1885) is a true classic. Ebbinghaus is after all one of the founding fathers of experimental psychology. Even today, the theory holds up (Murre & Dros, 2015).

The curve illustrates how newly learned information fades from our memory. Most knowledge is forgotten shortly after learning. This is particularly relevant in the world of cybersecurity training, where retaining information can literally mean the difference between staying safe or being vulnerable to attack again.

How can you take this into account in your learning program?

Een illustratie die laat zien dat 1 op de 3 medewerkers nooit op een phishing link klikt.

1. Frequency of repetition

To counteract the effects of the forgetting curve, regular repetition is important.

That means your curriculum should include regular updates and repetition training to keep knowledge fresh and applicable.

2. Practical application

Applying lessons learned in realistic scenarios helps reinforce memory. Simulations of phishing attacks or setting passwords securely are part of an effective program.

Any kind of repetition improves retention of knowledge.

3. Engagement & Interactivity

Use interactive elements such as quizzes and skill games to keep participants actively engaged. Different forms of practice increases the likelihood that they will remember and apply the information.

4. Personal relevance

Make content relevant to participants’ daily activities by making learning interventions relatable and personal.

When they see how cybersecurity affects their work and personal lives, they are more likely to pay attention to the learning resource. And the more time someone interacts with the content, the more likely a piece of information will be remembered.

5. Enough time between repetitions

To make a memory stronger in the long term, there must be enough time between repetitions. If newly learned information is repeated too soon, the memory is still too fresh and the repetition will contribute less to strengthening the memory. If you want to reproduce something one year after the moment of learning, the ideal interval between repetitions is 21 days (Cepeda,Vul, Rohrer, Wixted, & Pashler, 2008).

By taking into account the forgetting curve, you ensure that your security awareness program not only informs, but actually changes behavior for the good of a mature security organization.

Would you like to know more about our approach? Find out all about Wave.

References

  • Cepeda, N. J., Vul, E., Rohrer, D., Wixted, J. T., & Pashler, H. (2008). Spacing effects in learning: A temporal ridgeline of optimal retention. Psychological Science, 19(11), 1095-1102. DOI: 10.1111/j.1467-9280.2008.02209.
  • Ebbinghaus, H. (1885). Über das Gedächtnis. Leipzig: Dunker.
  • Murre J. M. J., & Dros, J. (2015). Replication and Analysis of Ebbinghaus’ Forgetting Curve. PLoS ONE 10(7): e0120644. https://doi.org/10.1371/journal.pone.0120644

AWAREWAYS

Euclideslaan 141 3584 BR Utrecht
+31 (0)30 227 14 67
info@awareways.com

Contactformulier