When we're talking security, we often overlook a basic fact of human beings: the best protection strategies won't work if no one is paying attention. Too many cybersecurity training programs are designed with lots of focus on the factual content of the training, but with minimal effort to engage people. Boring training is ineffective, so we need to fundamentally rethink our approach to awareness.
This October marks the 20th anniversary of Cybersecurity Awareness Month, a campaign co-led by us at the National Cybersecurity Alliance and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). We've learned a lot in 20+ years. And one thing we know is that it's time to center our security awareness programs around your audience.
Phishing simulations are common in many organizations, but are they really serving their intended purpose? Many security teams adopt a punitive mindset: send out phishing traps, wait for employees to slip up, and then reprimand them with more training, public shaming, or even disciplinary action. The logic is simple: fear of failure will motivate employees to improve their vigilance. But here's the problem: this approach doesn't work long-term. And it certainly doesn't encourage culture change and engagement with the security team.
A punitive approach can create resentment and fear among employees, which may lead them to avoid engaging with security measures altogether. They might spend their time devising less secure workarounds to get their job done. Instead of making cybersecurity feel like an achievable goal we can work toward together, it becomes an unwelcome test to be passed or failed. Worse, it could encourage employees to conceal mistakes rather than learn from them.
Instead, let's focus on positive reinforcement and focus on the human. Focus on report rates, not click rates. People respond far better to proactive and supportive measures than fear-based or punitive ones. It's time we step away from the notion that cybersecurity is a trap waiting to catch employees off guard and instead make it about helping them succeed.
When we're designing awareness programs for our orgs, it's common to get bogged down by layers of corporate bureaucracy. HR or corporate communications departments may redline your content to death, making it dry and robotic and, well, corporate. There's a risk that engaging or edgy content will be sidelined in favor of something that feels safer—but ultimately, less effective.
This is where you need to stand your ground. If your program is exciting, creative, and memorable, don't let it get reduced to a dull PowerPoint because someone in corporate doesn't like the idea of humor or entertainment in cybersecurity. We find that humor and engagement are more effective at getting engagement. When employees feel entertained or involved, they're more likely to remember and apply what they've learned in real-world situations. Do you remember your most boring professors (and what they taught you) from college, or the most interesting and entertaining ones?
A prime example is our comedic web series "Kubikle." We created it to counter the notion that cybersecurity training has to be boring or intimidating. Think of it like the Russian FSB set at Dunder Mifflin. By taking a comedic approach and framing cybercriminals in a lighthearted, satirical way, we captured the audience's attention while educating them on serious topics. The lesson? Creative content works. Stand up for it.
In many ways, cybersecurity is more about people than technical defenses. Employees are on the frontlines, often targeted because of their access and roles within an organization. The challenge is that many don't see themselves as important targets. We need to change that.
Our 2024 Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report found that 54% of participants find it easy to stay secure online, up 4% from 2023. However, the number of people who believed online safety is worth the effort declined 9% to 60% in 2024. Only 53% believe staying safe online is possible, a 5% decline. Fear and frustration stem from the complexity of the subject, making many people feel overwhelmed. As security professionals, our goal should be to demystify cybersecurity and empower people to adopt simple behaviors that make them safer.
The basics—like not reusing passwords, using multi-factor authentication, and recognizing phishing—can go a long way toward defending against today's threats. If we make cybersecurity feel achievable and engaging, more employees will take it seriously and integrate those behaviors into their everyday actions.
From ransomware to AI-driven phishing attacks, threats are evolving rapidly. Are your training programs evolving alongside them? If your training still focuses solely on generic advice, it won't equip employees to handle the realities they face today.
The rise of sophisticated phishing campaigns using AI-generated messages, and even deep faked video, is a good example. Training programs need to include updated information on these new threats and real-world simulations that can help employees recognize and respond to them. It's not enough to teach people how to identify last year's threats; we must keep them prepared for what's coming next.
Cybersecurity doesn't fall solely on the shoulders of IT or individual employees. It's a team sport that spans departments and levels of leadership. Executive buy-in, cross-departmental collaboration, and continuous investment in employee training are critical to building a resilient organization.
Training shouldn't be a one-off, check-the-box activity. It should be continuous, evolving, and tailored to your workforce's needs. The 2024 Oh Behave! survey revealed that 56% of participants lacked access to cybersecurity training, a sharp decline from previous years. However, those who did have access found it highly beneficial. Regular, updated, and entertaining training programs can help people become more confident in contributing to the organization's security.
If we want awareness programs to work, we need to make them human-centered, engaging, and evolving. We can't let corporate concerns about tone dilute our messages, nor should we fall back on punitive measures that alienate employees. Instead, let's aim to make security education approachable, empowering, and even entertaining.
Boring training is ineffective training. It's time we rethink how we engage our workforce and make cybersecurity a team effort where everyone feels capable of contributing. By centering our programs on the audience to build a culture of security, we can empower our people to be the strongest line of defense.