Learning campaigns

Client
CybSafe
My role
Product Designer
Timeframe
Jan 2023 – Aug 2023

CybSafe helps security teams manage human cyber risk. In 2022 it was recognised as an industry leader for its focus on behaviour change. But by the end of the year, it became clear that the training platform from its early days was holding back the user experience. So much so, that it was consuming everything that customers could spare.

I led the design process to reimagine CybSafe’s security awareness training platform and align it with their new vision. The update was well received and helped to secure renewals valued at approximately $300k of the company's ARR.

Highlights

An interface showing a list of courses. Each one displays a progress bar with three modules as cards containing their details and an arrow icon to show it is clickable. Below is a link to view all modules in the course.
Users receive personalised security awareness training via the CybSafe platform.
A mobile interface showing a list of courses. Each one displays a progress bar with one modules as a card containing its details and an arrow icon to show it is clickable. Below is a link to view all modules in the course.
Off-site users could use the mobile app to complete their modules.
The interface for setting up 'Learning campaigns'. It shows a table of campaigns with details like their name and status. There is also a button to create new campaigns and a link next to the title for accessing reports.
Admins can schedule and run multiple training campaigns from CybSafe’s admin panel.
The 'Audience' step of creating a Learning campaign. It has options to add audience rules, with two rules having been added already. 'Cancel,' 'Back,' and 'Next' buttons are at the bottom.
Audience rules let admins assign personalised training to users based on their attributes.
The 'Modules' step of creating a Learning campaign. It has a table of modules with links to preview them. Two have been selected using checkboxes next to their names. 'Cancel,' 'Back,' and 'Next' buttons are at the bottom.
Each campaign can contain any number and combination of modules.

How it went

💰 $300k of ARR

Secured from churn

📚 60% of courses

Assigned via user attributes

📈 46% adoption

1 month after release

📈 96% adoption

1 year after release

Process

Background

Who uses CybSafe?

In general there are two main user groups who interact with CybSafe, albeit in different places.

🧑‍💻 Admins

Security professionals in an organisation who manage the CybSafe platform on its behalf.

🧑 Users

Employees who interact with the CybSafe platform as decided by admin.

The status quo

CybSafe launched in 2018 as B2B security awareness and training (SA&T) platform. It offered a library of modules to its customers, each covering a specific cyber security topic. Admins could assign these to groups of users as they saw fit. The assumption was that knowledge and awareness of cyber security enables people to protect themselves and their organisations from cyber threats.

Old version of the Groups page. It displays a table of 20 groups with details such as their names and number of people. Each row includes a 'View module assignment' link.
Assigning modules to users was a demanding and time consuming task.

Problem

Key insights from admin calls

The Product and Design teams often joined Customer Success calls to gain insights about admins’ experiences with the product. From these calls we gained several insights about CybSafe’s SA&T offering.

🛠️

Setting up training was tedious because admins had to manually assign modules individually to groups of users.

🔄

Training was irrelevant, annoying users with the same annual training that failed to meet their specific needs.

🔎

Users were being grouped by attributes by admins to try and assign more relevant training to them.

📅

Admins relied on external spreadsheet apps to schedule and keep track of multiple SA&T initiatives.

🎓

Annual training is still essential because it’s a requirement for organisations to qualify for cyber insurance.

💸

Customers were at risk of churning! With a combined value at approximately $300k of CybSafe’s ARR.

‘Security awareness training is dead’

At the same time, CybSafe’s vision had changed. Driven by the Science & Research team, focus shifted away from SA&T to Human Risk Management (HRM). It acknowledges that several factors influence human cyber risk. Knowledge & understanding is just one of them.

Data visualisation of 'Risk Factors' and their impact on human cyber risk. Notably, security behaviours is weighted at 50, while knowledge & understanding is weighted at 15.
Risk factors are weighted on their impact. Sensitive data access acts as a ‘force multiplier’.

The challenge

It was clear that the training platform needed a refresh. Not just to better align with the new product vision, but also to resolve the issues being experienced by admins and users, and customers by extension. The need to solve these problems manifested into a single goal.

Build a training platform that aligns with CybSafe’s new vision, while helping admins efficiently deliver personalised training to users.

Before we began

CybSafe's success showed that there was a market for HRM. As a result, other vendors started to follow in their footsteps. In order to maintain its position as an industry leader, the business changed its approach to product development.

This led to a set of challenging constraints.

🚚

An emphasis on delivering new value quickly, encouraged quantity over quality to keep the products competitive edge.

🫠

UX was less of a business priority with a preference to ship MVPs quickly, gather feedback, and then iterate on them.

🧩

A requirement to reuse existing UX patterns to maintain consistent, high-quality, experiences across autonomous squads.

What we did

We jumped the gun...

In the interest of speed, the Product Manager and I went straight to the drawing board. The idea that gained the most traction was called smart groups. Users would be added and removed from groups based on shared attributes. Because modules are assigned to groups, users would be automatically assigned those modules as well.

Flowchart outlining 'smart groups'. Admins set rules to auto-add and remove users from groups. This automatically gives them any modules assigned to that group to complete. Users can then be removed from the group once they complete the module.
An excerpt from the proposal for ‘smart groups’.

Don’t work in silos!

Before getting too carried away, we ran the idea by the rest of the squad. This was to refine it and make sure it was technically feasible before going any further. The engineers highlighted that smart groups would be incompatible with larger customers’ setups. This was because their groups synced with their active directories, preventing them from creating specific custom groups.

💡 Lesson learned

We had spent a week developing the idea. It wasn’t loads of time, but we still should’ve included the tech lead from the beginning. In future projects, I made sure to do just that.

Workshop time

I decided to take a step back and ran an ideation workshop with the squad to gather and consider a range of ideas. Participants included:

  • 1 Product Manager
  • 4 Engineers
  • 1 Customer Support Manager
  • 1 Behavioural Scientist

After everyone had added their ideas, we combined any duplicates and mapped them to a impact-effort matrix.

Impact-effort matrix of the main ideas from the workshop. Four ideas are high impact, high effort. Three more are high impact, low effort. Two ideas are low impact. The last is medium impact but high effort.
Impact-effort matrix of the main ideas that came out of the workshop.

Back on course 😏

As we discussed the highest impact ideas, three of the bigger bets came together to form a new concept called Learning campaigns (I wanted to just call them Courses). We concluded that the high effort required was necessary to build an effective solution. There was also leeway, as other squads had already worked on similar capabilities that we could reuse. As for the quick-wins, they were done in a hack-day!

Diagram of the structure of a Learning campaign. Modules, Campaign settings, and Assignment conditions all make up a single campaign.
Initial proposal for the structure and capabilities of Learning campaigns

Task flow

Having figured out the basic structure of a single learning campaign, I organised its components into a task flow to determine the sequence of steps that would be necessary for admins to create one. It also facilitated discussion with the squad about how much work would required and what additional components were necessary for campaigns to function.

A flowchart showing the sequence of steps for creating a learning campaign. The main steps are details, enrolment rules, modules, schedule, and review.
Task flow for creating a learning campaign. Each step represents an individual screen.

Another consideration

Replacing the current system would have certainly disrupted customers’ existing setups. This would erode their trust in both CybSafe and their own admins. So we needed to make sure the launch as frictionless as possible. The decision was for the old and new systems run side by side to begin with. Customers could familiarise themselves with Learning campaigns before moving to the new system using the provided conversion tool.

The first iteration

Learning campaigns

Problem: Admins could only assign one set of modules to each group of users. This meant running multiple training initiatives at once involved a tonne of manual micro-management.

Solution: Learning campaigns are collections of modules that admins can create and enrol users into. It is now much easier to organise and run multiple training initiatives based on different topics and objectives.

The interface for setting up 'Learning campaigns'. It shows a table of campaigns with details like their name and status. There is also a button to create new campaigns and a link next to the title for accessing reports.
Admins can schedule and run multiple training campaigns from CybSafe’s admin panel.

Audience rules

Problem: The only way to assign a training module to a user was manually via groups that were often based on departments. This made it almost impossible for admins to deliver truly personalised training to users.

Solution: Audience rules automatically enrol users into campaigns based on their objective actions or attributes. For example, users who frequently fall for simulated phishing emails can be enrolled into a campaign that focuses on techniques to spot phishing emails.

The 'Audience' step of creating a Learning campaign. It has options to add audience rules, with two rules having been added already. 'Cancel,' 'Back,' and 'Next' buttons are at the bottom.
Audience rules let admins assign personalised training to users based on their attributes.

Modules

Problem: Admins found it difficult to find where to assign modules to users because it was via groups, a place they did not expect it to be.

Solution: Module assignment was now done via Learning campaigns in the Learning part of the product.

The 'Modules' step of creating a Learning campaign. It has a table of modules with links to preview them. Two have been selected using checkboxes next to their names. 'Cancel,' 'Back,' and 'Next' buttons are at the bottom.
Each campaign can contain any number and combination of modules.

Schedule

Problem: Users received all modules at once, overwhelming them and preventing admins from running initiatives based on certain events or the time of year.

Solution: Campaigns can be scheduled with specific dates or run continuously, allowing phased training and enabling seasonal initiatives.

The 'Schedule' step of creating a Learning campaign. It contains options for start and end dates, completion deadline, and if and when to reset user completion. 'Cancel,' 'Back,' and 'Next' buttons are at the bottom.
The scheduler lets admins control when users are enrolled into a campaign.

No time to test?

Usability testing 🫷Releasing to production

I wanted to conduct usability tests on the designs to identify any issues in the new experience before the engineers started building it. But the emphasis on quick delivery meant we were pressed for time. As result, the squad was keen to start development. After a little persuasion from both sides, we met in the middle and we found a good alternative.

A flowchart with six steps; Empathise, Define, Ideate, Prototype, Test, Implement. Each has an arrow leading to the next, except Prototype which skips over the Test step to the Implement step.
How I initially interpreted the design process of Learning campaigns.

Releasing to production 🫷Beta testing the MVP

The CybSafe platform lets customers opt-in to beta test new features. So we agreed to release Learning campaigns to beta testers first. We would then ask them for feedback once they had time to test out the new feature. This would reveal the most serious issues to us, allowing us to fix them.

A flowchart with six steps; Empathise, Define, Ideate, Prototype, Beta test, Launch. Each has an arrow leading to the next. The beta test step has an additional arrow leading back to empathise.
What actually happened with learning campaigns.
💡 Lesson learned

I was too focused on what I couldn't do to begin with. In the end I found success in adapting my approach to the situation, instead of dogmatically following an idealised design process. The final result would've been even better if I scaled back the MVP so that the beta was more focused and cheaper to build.

Beta test

Feedback from beta testers

The migration tool hadn’t been developed yet. So beta-testers had to manually migrate their existing setups. This meant adoption was slow. But over the following several weeks, two consistent piece of feedback trickled in via customer success.

🕒

Admins were happy that they didn’t have to spend so much time manually assigning and reassigning modules to users.

🌀

But it was overwhelming due to the number of options when setting up a campaign.

Ok

Most of the feedback we got was fairly vague. So while the engineers worked on the automated migration tool, the PM and I spoke to a few of the beta-testers directly.

🧭

Admins were lost due to a lack of clear guidance on the best way to setup and run campaigns.

📚

Choosing modules was still clunky because there were still 71 (and counting) of them to sift through.

Our intent didn’t match admin expectations with several options being either confusing or in the wrong place.

📢

Users didn’t know they had new training until admins told them that they had been enrolled in a new campaign.

Amendments

There's a template for that

Problem: Admins were overwhelmed by the number of options when setting up a campaign. But this complexity was required for campaigns to function and be value to customers.

Solution: Templates are a set of pre-made campaigns with everything already setup. All admins have to do is choose what they want to use.

Learning campaign templates page. It displays a table listing each template with key details like its name. Each row includes a call to action to 'Use template'.
For the sake of speed, the first iteration of the template library is a data table.

No more robo speak

Problem: The audience rules used programming-like language (if, else, etc.) to show more complex options. But this confused admins who lacked programming experience.

Solution: Audience rules now use plain, user-friendly language, making them easy for anyone to understand, regardless of technical expertise.

Before and after of the amendments to the audience rule options. For example, instead of saying 'Module completed is in 2 modules', the option now says 'Completed modules include 2 modules'.
Before and after of some of the audience rule labels that we improved.

Options now in the right place

Problem: Admins often missed the ‘Activate’ switch in the first step of the campaign flow. This left them wondering why their users weren’t receiving modules after a campaign was created.

Solution: The activate switch was a ‘simpler’ compromise to let admins ‘save’ their progress. So we replaced the switch with the ‘Save draft’ button that I originally proposed. Technical constraints prevented autosaving.

The 'Details' step of creating a Learning campaign. It has options to name the campaign and a 'certificate' toggle. There is also an 'Activate' toggle that has been crossed out in red. A 'Save draft' button in the bottom right corner is circled in green.
I don’t know what I was thinking with the toggle to be honest.

Notifications

Problem: Admins wanted to be able to notify users when they had been enrolled into a campaign, as well as send them reminders. While they could do this with the ‘Nudge’ feature, there wasn’t a clear journey to do so from Learning campaigns.

Solution: I planned to add a widget to the campaigns page to guide admins to the nudge feature and setup the notifications there. But this was out-of-scope due to time and ownership constraints. Instead we added a ‘Notifications’ step that let admins select from three pre-made notifications.

The 'Notifications' step for creating a learning campaign. It has three options for what notifications to send to users. There's also a delivery channel setting with options like email, Microsoft Teams, and Slack.
Admins can send notifications to users based on the stage they’ve reached in the campaign.

Launch

A mostly positive reception

The new learning platform was fully released to all customers in August 2023. It was a welcome update, with almost half of them voluntarily migrating to the new system in the first month.

“We used top have ~30% completion rates, through utilising learning campaigns and nudges, we are now at ~90% completion” — Customer
💰 $300k of ARR

Secured from churn

📚 60% of courses

Assigned via user attributes

📈 46% adoption

1 month after release

📈 96% adoption

1 year after release

However, there were still some nasty usability issues and bugs that surfaced later on. For example, the built in notification engine would send duplicate notifications to users if they were enrolled in multiple campaigns! This prevented some customers from fully adopting the new system as they were under a lot of pressure for things to work perfectly. Once these issues were fixed, the customers were happy migrated to the new system.

Retrospective

I was pleased to see the work I had done over the last few months make it to the product. It was also good to see that customers were excited by the value that learning campaigns gave them. Although the process wasn’t ideal, it was a valuable experience that helped me learn to adapt to an imperfect situation. The main things I learned were to:

🤝

Include stakeholders as early as possible to gain a variety of ideas and perspectives to reach the best solution to a problem.

🌱

Adapt my process based on the time and resources available and not get caught up in a rigid, idealised, design process.

Start small and focus on the quality of a few things, gradually building on them, rather than prioritising the quantity of many things and trying to improve their quality later.

Still more to do!

As of today, all customers are using learning campaigns and the old system has been decommissioned. But the work doesn’t stop there:

📈

Admins need a simpler way to report compliance in addition to the filtering that’s available. The proposed solution adds the ability to highlight campaigns, displaying dedicated charts of completion rates within the selected date range.

🎯

The user experience needs improvement. Changes to module assignments were a good start. But our vision is to use risk data to give users real-time, tailored, and hassle-free assistance.

📈

Continue to lead the industry from awareness to human risk management. This means designing a product that measures metrics that quantify risk and performs cyclical, outcome driven actions for customers.

Thanks for reading 🙏

Next project

CybSafe, Navigation
Samuel Faiers — Product Designer
Email
LinkedIn