Transforming Cybersecurity Awareness: From Passive Attendance to Active Understanding
Let’s face it—security awareness programs often feel like a chore. For employees, it’s time lost with little immediate value gained. For security teams, it’s an obligation that doesn’t always deliver visible results.
A few years ago, this was the norm in most organizations. Fortunately, things are changing. We’re now aiming to influence employees the moment they make decisions, form habits, and handle unexpected situations. In other words, we’re trying to shift cybersecurity from being a task to being second nature.
The Modern Work Environment Challenge
The pace of work has accelerated. Remote work, matrix management, and the constant stream of collaboration tools bombard us from every direction. Dropping a 10-question, multiple-choice security awareness training into this chaos and expecting lasting results is unrealistic. The outcome isn’t surprising: minimal engagement and even less retention.
It’s time to shift our approach. We must stop treating security awareness as a box to tick and start focusing on making it truly effective. To do this, I suggest we emphasize two aspects of the “Training, Education, and Awareness” triad: Education and Training.
Education: The Foundation for Change
Education is often the weakest part of security programs, yet it’s the key to helping employees internalize good security practices. So, what does good education look like?
It starts with context. Employees need to understand why cybersecurity matters, not just for the company but also for them personally. Let’s look at two examples:
- At the organizational level: A poorly managed cyber incident could significantly damage our company’s reputation and erode customer trust, threatening our long-term strategy.
- At the role level: Call center staff, who handle sensitive customer information daily, must know that even a minor slip could expose this data to attackers. Cybercriminals actively seek out the kind of information we manage, so vigilance is critical.
Once the “why” is clear, we can move on to the what.
The Importance of Contextual Education
Security risks should be explained in a way that employees can relate to. For example:
“Attackers don’t hack into systems—they log in.”
This statement underscores the importance of strong credentials. If an attacker steals your username and password, it saves them time and effort, bringing them closer to their goal. Given that phishing accounts for 90% of cyberattacks, maintaining good credential hygiene—like avoiding weak or reused passwords—is crucial.
By providing relevant information and context, employees start to understand why these practices are important. This builds a foundation for the how—the actual steps they need to take.
Training: Turning Knowledge into Action
Once we’ve laid the groundwork with education, we move to training. This is where employees learn the how—the practical steps to protect the organization.
For example:
- If it looks suspicious, report it. We’re all targets, and your vigilance can stop an attack in its tracks.
- Use a password manager. Let it generate and store strong passwords for you. It’s one less thing to worry about.
- Expect multi-factor authentication (MFA). It’s a critical defense. You should only approve MFA requests when you’re actively logging in.
Training should be delivered in various formats, not just through static PowerPoint slides. It must account for different levels of experience, with easy-to-follow guides for those who need extra help.
From Attendance to Understanding
In this first post, I’ve focused on the importance of education and training in transforming security awareness from mere attendance into real understanding. When employees understand the why and what behind security practices, they’re more likely to adopt safer behaviors and make better decisions.
In future posts, I’ll dive into how continuous awareness efforts—through regular nudges—can help reinforce these habits and further embed security into everyday decision-making.