How should organizations structure security training to ensure retention?

Organizations should move away from bulk learning approaches, especially during onboarding when employees are overwhelmed. Instead, implement drip-fed learning over time with regular reinforcement of key concepts. Training should be role-based and contextual—developers, HR staff, and factory workers need different content that reflects their actual work reality. Redefine compliance to include ongoing engagement rather than one-time completion, and use a formal communication plan to maintain consistent touchpoints over the long term.

What should organizations do when employees over-report legitimate emails as suspicious?

This is actually a sign that awareness training is working, though it creates operational challenges. Work with internal communications teams to make legitimate emails less phishing-like—for example, have HR link to an intranet page first, which then links to external surveys, rather than directly linking to external sites. Provide timely feedback on all reports, even false positives, thanking employees for their vigilance. Consider AI-powered tools that can provide immediate analysis and feedback, reducing the burden on security teams while maintaining employee engagement.

5 Security Awareness Mistakes and How to Fix Them

Name: 5 Security Awareness Mistakes and How to Fix Them
Uploaded: 2026-04-29T10:09:26-04:00
Duration: 33 min 36 s
Description: TL;DR Awareness training alone does not change behavior—organizations must apply behavioral science principles including consequences, peer pressure, and reducing opportunities for risky actions to drive actual security culture change. Punishing employ...

SoSafe

04/29/2026

0 (0%)

Report Like Favorite

TL;DR

Awareness training alone does not change behavior—organizations must apply behavioral science principles including consequences, peer pressure, and reducing opportunities for risky actions to drive actual security culture change.
Punishing employees for security mistakes undermines trust and reporting culture; adopting a 'just culture' approach treats errors as opportunities to improve processes rather than occasions for discipline.
Bulk learning during onboarding is quickly forgotten; effective programs use drip-fed, role-based content delivered over time with regular reinforcement tailored to different employee contexts.
Feedback loops are essential for sustained engagement—employees who report security concerns need timely responses and recognition, with 77% working harder when they feel their contributions are appreciated.
The fundamental reframe: stop calling it a 'security awareness program' and rename it a 'security behavior change' or 'security culture' program to focus efforts on what actually matters—changing how people act, not just what they know.

Why Awareness Alone Doesn't Change Behavior

The session opens with a fundamental challenge facing security leaders: more awareness training does not automatically translate to better security behavior. Andrew Rose and Maxime Lecoeur use the smoking analogy to illustrate this disconnect—despite 100% awareness that smoking is dangerous, millions still smoke. The speakers introduce behavioral science principles from BJ Fogg's behavior model, emphasizing that behavior change requires addressing both motivation and ability. Organizations must move beyond simply stacking more training and instead focus on consequences, peer pressure, and removing opportunities for risky behavior. The key insight is that awareness is necessary but insufficient—security programs must be designed to influence actual behavior, not just knowledge.

Building Trust Through Just Culture

A critical mistake many organizations make is punishing employees who fall for phishing simulations or make security errors. While punishment may produce short-term behavior change, it fundamentally undermines trust and destroys the partnership security teams need with their users. The speakers introduce the concept of 'just culture' from aviation safety, where mistakes are viewed as opportunities to improve processes rather than occasions for punishment. In this framework, if an employee makes an error, the security team asks what controls, tools, or processes were missing that allowed the mistake to happen. This approach encourages incident reporting and creates a culture where employees feel safe coming forward with problems. The session emphasizes that security teams must be seen as partners, not police, to build sustainable security culture.

Effective Learning Design and Feedback Loops

The presentation addresses two interconnected mistakes: bulk learning approaches and lack of feedback mechanisms. Research shows that people quickly forget information delivered in one-time training sessions, particularly during onboarding when new employees are overwhelmed with information. Instead, organizations should implement drip-fed learning over time, with role-based content that reflects employees' actual work contexts. A developer needs different security guidance than an HR professional or factory worker. The speakers also stress the importance of feedback loops—77% of employees work harder when they feel appreciated and recognized. When employees report suspicious emails or security concerns, they need timely feedback to maintain engagement. Automation tools like AI chatbots can provide immediate responses, while security teams should celebrate good reporting behavior and communicate when employee vigilance prevented actual incidents.

Chapters

0:00 - Introduction and Speaker Backgrounds
1:30 - Mistake 1: Awareness vs Behavior
4:30 - Behavioral Science and Peer Pressure
7:00 - Mistake 2: Understanding Security Roles
10:30 - Mistake 3: Punishment Damages Trust
14:30 - Just Culture Framework
19:00 - Mistake 4: Bulk Learning Failures
23:00 - Role-Based Content Design
27:00 - Mistake 5: Missing Feedback Loops
31:00 - Bonus: Rename Your Program
34:00 - Audience Q&A Session

Key Quotes

1:46 "More awareness does not change behavior."
12:21 "If you make a mistake, it's my fault. If you've made a mistake, I haven't given you the right tools. I haven't given you the right processes."
18:57 "... 77 of employees would work harder if they knew they were being appreciated and recognized."
21:54 "You don't want to build awareness. That's not what you're trying to do. You're trying to change behavior, trying to change culture."
9:06 "It does work. And people do change their behavior because of the peril of having disciplinary on you. The problem is it's not sustainable."

Categories:

» Data Protection

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

04/30/2026

10:00 AM

04/30/2026

Insights into SaaS Data Protection from the Keepit Annual Data Report 2026

https://www.truthinit.com/index.php/channel/1868/insights-into-saas-data-protection-from-the-keepit-annual-data-report-2026/
04/30/2026

01:00 PM

04/30/2026

The New Economics of a VMware Exit

https://www.truthinit.com/index.php/channel/1880/the-new-economics-of-vmware-exit/
05/06/2026

02:00 AM

05/06/2026

Detecting Cyber Attacks Before They Evolve Into Breaches with AI Insights

https://www.truthinit.com/index.php/channel/1886/detecting-cyber-attacks-before-they-evolve-into-breaches-with-ai-insights/
05/06/2026

10:00 PM

05/06/2026

World Password Day: Strategies for Managing Your Passwords Effectively.

https://www.truthinit.com/index.php/channel/1913/world-password-day-strategies-for-managing-your-passwords-effectively/
05/07/2026

05:00 AM

05/07/2026

World Password Day: Strategies for Managing Your Passwords Effectively.

https://www.truthinit.com/index.php/channel/1914/world-password-day-strategies-for-managing-your-passwords-effectively/
05/07/2026

01:00 PM

05/07/2026

World Password Day: Strategies for Managing Your Passwords Effectively

https://www.truthinit.com/index.php/channel/1915/world-password-day-strategies-for-managing-your-passwords-effectively/
05/12/2026

01:00 PM

05/12/2026

Transforming Black Box to Glass Box: Revealing Hidden Threats and AI Risks through Data Lineage

https://www.truthinit.com/index.php/channel/1895/transforming-black-box-to-glass-box-revealing-hidden-threats-and-ai-risks-through-data-lineage/
05/12/2026

11:30 PM

05/12/2026

Implement Effective Strategies for Securing Active Directory and Minimizing Data Exposure

https://www.truthinit.com/index.php/channel/1888/implement-effective-strategies-for-securing-active-directory-and-minimizing-data-exposure/
05/13/2026

01:00 AM

05/13/2026

Transforming the Black Box: Revealing AI Risks and Hidden Threats through Data Lineage

https://www.truthinit.com/index.php/channel/1890/transforming-the-black-box-revealing-ai-risks-and-hidden-threats-through-data-lineage/
05/13/2026

05:00 AM

05/13/2026

Transforming Black Box to Glass Box: Revealing AI Risks and Hidden Threats through Data Lineage

https://www.truthinit.com/index.php/channel/1894/transforming-black-box-to-glass-box-revealing-ai-risks-and-hidden-threats-through-data-lineage/
05/19/2026

01:00 PM

05/19/2026

Spring of Satori: Insights into Recent Findings and 2026's Threat Landscape

https://www.truthinit.com/index.php/channel/1930/spring-of-satori-insights-into-recent-findings-and-2026s-threat-landscape/
05/21/2026

11:00 AM

05/21/2026

The Autonomous Era: Orchestrating a Resilient Enterprise

https://www.truthinit.com/index.php/channel/1372/the-autonomous-era-orchestrating-a-resilient-enterprise/
05/27/2026

04:00 AM

05/27/2026

Rivoluziona i rischi dell'AI in opportunità con Netskope AI Security

https://www.truthinit.com/index.php/channel/1925/rivoluziona-i-rischi-dellai-in-opportunità-con-netskope-ai-security/
05/28/2026

10:00 AM

05/28/2026

Transforming AI from fantasy to purposeful management

https://www.truthinit.com/index.php/channel/1924/transforming-ai-from-fantasy-to-purposeful-management/