April 3, 2019

Promoting a culture of cybersecurity awareness is important now more than ever. After all, cyberattacks are on the rise around the world. Not only are they increasing in size, but they are also increasing in complexity. Cybercrime is expected to cost the world about $6 trillion by 2021—which is going to be exponentially greater than the damages caused by natural calamities.

People—not only tools—are essential to the health of your company. Helping your employees understand what security awareness means is an excellent way to start. By conducting security training, you can encourage your people to change their behaviour and commit to it. However, that’s often easier said than done. Many companies fail to create lasting change for all sorts of reasons.

Here, you will learn how to avoid the five common reasons causing security awareness training to fail.

  1. Adopting a tick-box mentality

 Companies often conduct training simply to adhere to compliance standards. However, these standards don’t provide solid security countermeasures.

Compliance standards for security awareness are somewhat open to interpretation. For instance, it requires companies to adopt a security awareness program—but it doesn’t say anything about its structure or content. The ambiguity leaves auditors the monumental task of determining what makes up a good program. Unfortunately, many of them have little to no knowledge about it.

Cybersecurity training isn’t about providing employees with the resources they need and quizzing them if they learned something. When auditors, say, use a 10-minute video to explain security awareness, and quiz them afterwards to verify that they understood it, the training fails to engage employees. It also fails to show trainees how what they’ve learned can impact their actions. In other words, a compliant security awareness training program isn’t always an effective one.

  1. Lack of engaging content

 When companies are driven by a tick-box mentality, they usually won’t invest in good resources for security awareness training. Some might conduct once-in-a-year computer-based courses. Others would use content that only includes videos, with little or no interaction or teachable moments.

Let’s say you have a decent budget for your program. You still need to make sure that the materials you plan to use are an appropriate medium for empowering your office to embrace a better security culture. Sometimes, we tend to be more biased towards what works for us. That shouldn’t be the case. You should always consider your target audience—your employees—before choosing the right content to engage them. Inevitably, they will want something fun and engaging. Crucially, interactions and the opportunity to ‘live through’ scenarios can provide them with proper teachable moments.

  1. Lack of employee buy-in

Employees who aren’t as invested in the training course as you are can put the company and your clients at risk of cyberattacks. To create security awareness champions, you have to empower employees to follow security protocols when confronted with security issues. Employees who feel confident in cybersecurity knowledge are more likely to adhere to rules and are less likely to cause a major mishap.

To empower every single person in your office, you ought to consider using a mix of engaging materials. You could use blogs and social media content, together with traditional print media like newsletters, to help boost the impact of your online security awareness training.

  1. Testing your employees rather than engaging them

 Most companies only conduct annual tests to determine their employees’ knowledge of security awareness. They do nothing more. Testing employees won’t prove that they practice appropriate cybersecurity protocols every day at work. Your teams might pass the quizzes with flying colours, but there’s a good chance that they don’t exercise what they’ve learned.

On the other hand, constant reinforcement will empower employees to embrace the desired behaviours.

  1. Setting unrealistic expectations

Establishing unreasonable expectations won’t help promote a culture of cybersecurity awareness. You can’t blame your employees for not being able to eliminate all security threats. After all, no single countermeasure can stand against every single threat out there. But with proper training, you can at least minimise the number of threats.

 How would you know if the training was worth it or not if you don’t study the data? Collecting the necessary metrics will help you understand the effectiveness of the program. By analysing the data, you can tell if you’re wasting time and resources or adding value to the brand.

Collecting data will also help you determine how the company can improve its efforts in security awareness training.


A lot of programs fail because of these five reasons. If you’re wondering why your employees have yet to successfully embrace the right habits, maybe it’s time to rethink your training strategy. Take a good look at your program and determine whether any of these factors are impeding its success. Then, create the right training program for your team so you can mitigate the risks of cybersecurity threats.

Want to learn more about empowering your employees’ security defences?  Why not sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: