How HuoLala Built an Effective Human‑Centric InfoSec Training Program

Problem and Challenges

Employees are the first line of defense in information security, but raising their awareness is complex, involving attitudes, cognition, and behavior. HuoLala faced low participation, unsuitable training cycles, generic content, and limited internal training resources.

Current Training System

The program divides participants into four tiers: all staff, targeted departments/roles, technical personnel, and data‑security key staff, each with tailored training plans.

1. All‑Staff Training

Onboarding and Exit Reminders : New hires receive a unified security briefing via Feishu and email; departing employees get targeted reminders to prevent data leakage.

Annual All‑Staff Training : Conducted once a year to meet legal requirements and boost overall awareness. Content covers the what, why, and how of security, delivered via videos, live talks, or animated clips on an internal learning platform that tracks progress and exams.

Coverage Strategies : Secure high‑level support, issue company‑wide notifications, and leverage HRBPs, department liaisons, and security BPs to monitor completion rates.

2. Department/Role‑Specific Training

Targeted sessions supplement the annual program, offering customized content based on business scenarios. Internal security trainers collaborate with department leaders to design and deliver these courses, often recruiting business‑side speakers and providing them with training on presentation materials.

3. Technical Center Training

R&D, testing, and operations staff receive periodic workshops covering common vulnerability analysis, secure development processes, and business‑security best practices, delivered through online modules and articles.

4. Data‑Security Key Personnel

These staff stay updated on regulatory changes and industry trends via regular article sharing and expert‑led specialist sessions.

Daily Security Awareness Promotion

Beyond formal training, HuoLala publishes security‑focused articles, runs interactive activities, and uses various media formats to reinforce the security culture.

Content Creation

Topic Selection : Divide security knowledge into modules (office, data, network, endpoint, legal, personal data) and prioritize topics based on employee surveys, incident reports, and emerging threats.

Writing : Produce concise, employee‑friendly copy without excessive jargon.

Design : Craft compelling titles and visuals to attract attention.

Channels

Online : Feishu subscription accounts, bots, knowledge base, community forums, group chats, splash ads, and banners—selected based on audience analysis to avoid over‑messaging.

Offline : Posters, desk cards, and roll‑up banners placed in high‑traffic areas such as restrooms, elevators, break rooms, and meeting rooms.

Formats

Content Formats : Long‑form graphics, comics, short sentences, MG animations, and live‑action videos.

Comics : Use humor and current news to convey security concepts.

One‑Picture Summaries : Visual diagrams simplify complex ideas.

Security Tips : Bite‑size text with links to deeper articles.

Videos : Ranging from slide decks to animated clips and short skits.

Activity Formats

Online/Offline Events : Combine reach and interactivity.

H5 Mini‑Games : Engaging, location‑independent games reinforce learning.

Theme‑Park‑Style Experiences : During Security Awareness Month, stations with games encourage immersive learning.

Workplace Spot Checks : Random inspections reward safe behavior and flag unsafe practices.

Incentives such as leaderboards, certificates, avatar badges, and lucky draws motivate participation.

Conclusion

Continuous development of a human‑focused security training system is essential for raising the overall security posture. HuoLala’s experience offers practical insights for other organizations seeking to build a robust security culture that adapts to evolving technology and business complexity.