← Back to all posts

Why Your Security Awareness Training is Useless

March 7, 2026

Why Your Security Awareness Training is Useless

Why Your Security Awareness Training is Useless

I've sat through dozens of security awareness training sessions. Mandatory videos. Annual compliance modules. Click-through slideshows with quizzes at the end.

And I've got a confession: I can't remember a single thing from most of them.

Not because I'm not interested in security (I run a security company). But because security awareness training effectiveness is terrible. Most training is designed to check a compliance box, not change behaviour.

If you're responsible for security training in your organisation, this article might be uncomfortable. But stick with me—there's a better way.

The Compliance Trap

Most security awareness training exists because someone said it had to. Regulatory requirement. Insurance mandate. Audit finding. Board directive.

So HR or IT buys a training platform. Everyone gets an annual assignment. They click through videos, answer obvious quiz questions, and get a certificate.

Compliance: achieved. Security: unchanged.

This is security theater. It looks like you're doing something. But nothing actually improves.

I've seen organisations with 100% training completion rates get breached because someone clicked a phishing link. The training didn't fail. The training was never designed to succeed.

Why Most Training Doesn't Work

Let's break down why traditional security awareness training fails to change behaviour:

Problem 1: It's Boring

Most security training is:

  • Too long (20-30 minutes of video)
  • Too generic (not relevant to actual job functions)
  • Too theoretical ("attackers might..." instead of "here's what happened to us")
  • Passive (watching, not doing)

People tune out. They multitask. They click through while doing something else. They retain almost nothing.

Problem 2: It's Annual

You do training once a year. In January, everyone learns about phishing. By March, they've forgotten. By June, new hires have never had the training. By September, nobody remembers anything.

Security threats evolve daily. Annual training can't keep up.

Problem 3: It Focuses on Information, Not Behaviour

Knowing that phishing exists doesn't stop you clicking phishing links. Knowing passwords should be strong doesn't make you create strong passwords.

Information ≠ behaviour change. We know vegetables are healthy. We still eat chips.

Problem 4: It's One-Size-Fits-All

The same training goes to:

  • Executives with admin access to everything
  • Finance staff who handle invoices and wire transfers
  • Developers writing code
  • Warehouse staff using tablets
  • Customer service on the phone all day

Different roles face different threats. Generic training addresses none of them well.

Problem 5: It Punishes Instead of Teaches

Click a phishing simulation? Mandatory extra training. Fail a quiz? Do it again. Make a mistake? Reported to your manager.

This creates fear, not learning. People hide mistakes. They resent security. They game the system to avoid punishment.

What Actually Works: Evidence-Based Approaches

There's a whole field of research on behaviour change. Security training can learn from it.

Principle 1: Make It Relevant

People engage with content that relates to their actual work and life.

Instead of: "Phishing is a threat to organisations worldwide." Try: "Last month, someone in our finance team received an email that looked like it was from our CEO asking for an urgent wire transfer. It wasn't. Here's how they spotted it."

Use real examples from your organisation (anonymised). Show actual phishing emails that targeted your company. Make it concrete, not abstract.

Principle 2: Make It Short and Frequent

One 30-minute training session per year is worthless. Ten 2-minute sessions spread across the year actually work.

Microlearning approach:

  • Weekly 2-minute security tips
  • Monthly short videos on specific topics
  • Quarterly interactive simulations
  • Annual deep-dive for complex topics

Spaced repetition beats cramming. Every time.

Principle 3: Make It Active, Not Passive

Don't just tell people what to do. Have them practice doing it.

Instead of: "Check the sender address before clicking links." Try: Interactive exercise where they review 10 emails and identify which are phishing. Immediate feedback on each one.

Muscle memory matters. The more people practice recognition, the better they get.

Principle 4: Make It Social

People learn from peers. Use social proof and community:

  • Share stories of people who caught attacks
  • Create security champions in each department
  • Discuss security in team meetings
  • Make security part of the conversation, not a separate thing

When security becomes "what we do here" rather than "what IT makes us do," behaviour changes.

Principle 5: Make It Easy to Do the Right Thing

The best security training removes friction from secure behaviour:

  • Password manager provided and set up by IT
  • One-click phishing report button
  • Clear, simple policies
  • Fast help when people have questions

If doing the secure thing is harder than the insecure thing, people will choose insecure—training or no training.

Securing your workplace? You're probably your family's IT person too.

The same principles that protect enterprise data—relevant training, frequent reminders, easy security—work just as well at home. But most families have none of it.

Get my Personal Security Quick-Start Guide — the 193-page practical handbook for busy people who want to protect their families without becoming cybersecurity experts.

Plus: Join 158+ Australians getting one 5-minute security briefing every Friday.

Get The Free Guide →

security awareness training effectiveness: A Better Security Awareness Model

Here's the approach I recommend for security awareness training effectiveness:

Layer 1: Environmental Cues

Make security visible in the workplace:

  • Posters in break rooms (rotated monthly)
  • Screensavers with security tips
  • Slack/Teams bots that share tips
  • Login page messages

These aren't training—they're reminders. They keep security top of mind without demanding attention.

Layer 2: Role-Based Training

Different people need different training:

Everyone:

  • Phishing recognition
  • Password basics
  • Reporting procedures

Finance:

  • Invoice fraud
  • Wire transfer verification
  • Vendor compromise

Executives:

  • Spear phishing
  • Social engineering
  • Travel security

Developers:

  • Secure coding
  • Secret management
  • Supply chain risks

IT/Admins:

  • Privileged access
  • Advanced persistent threats
  • Incident response

Keep role-specific training short and practical. What do they actually need to know for their job?

Layer 3: Simulated Practice

Regular, realistic simulations:

  • Phishing emails (varied difficulty)
  • USB drops (leave infected USBs in parking lots)
  • Social engineering phone calls
  • Physical security tests (tailgating attempts)

Make simulations learning opportunities, not gotchas. Immediate feedback. No punishment.

Layer 4: Just-in-Time Training

Deliver training when it's relevant:

  • New employee onboarding (security from day one)
  • When someone clicks a phishing simulation (immediate micro-training)
  • After a real incident ("Here's what happened and how to spot it")
  • Before travel (travel-specific risks)
  • During tax season (tax scam awareness)

Context matters. Training delivered at the right moment is 10x more effective.

Layer 5: Cultural Integration

Make security part of how you work:

  • Security discussed in all-hands meetings
  • Leaders model good behaviour (use password managers, report phishing)
  • Security wins celebrated
  • Blameless post-incident reviews
  • Security champions in every department

Culture eats strategy for breakfast. Training won't work if the culture works against it.

Measuring What Matters

Stop measuring training completion. Start measuring behaviour change.

Bad Metrics

  • Training completion rate (100% means nothing)
  • Quiz scores (easy to game, doesn't predict behaviour)
  • Hours of training delivered (activity ≠ outcome)

Good Metrics

  • Phishing simulation click rate (trending down?)
  • Phishing report rate (trending up?)
  • Password hygiene (weak passwords found in audits?)
  • Incident reporting (more reports = better awareness)
  • Security policy violations (trending down?)

Track over time. Look for trends, not snapshots.

The Executive Factor

If executives don't take security seriously, no one will.

I've seen organisations where:

  • The CEO refuses to use MFA ("too inconvenient")
  • Executives bypass security policies ("I need this now")
  • Security training is optional for senior staff ("too busy")

In those organisations, security awareness is a joke. Everyone knows the rules don't apply to the top.

Executives must model the behaviour they want to see. If they want staff to report phishing, they need to report phishing. If they want people to use password managers, they need to use password managers.

Security culture flows downhill.

Addressing the "Waste of Time" Complaints

You'll hear pushback: "This is a waste of time." "I have real work to do." "Security is IT's job, not mine."

Here's how to respond:

To leadership: "The average data breach costs Australian businesses $4.5 million. A compromised email account can lead to fraudulent wire transfers. Security awareness is risk management, not optional overhead."

To employees: "We know this takes time. We're committed to making it valuable and efficient. Short, frequent training beats long annual sessions. And security protects your personal accounts too—these skills work at home."

To IT: "We need your help making security easy. Good security should be invisible. When people complain about security friction, that's a sign we need better tools, not less training."

Better to Teach One Thing That Sticks

Here's my philosophy: It's better to teach your family one security habit that sticks than to bore them with comprehensive training they forget.

The same applies at work.

Instead of trying to cover everything, focus on the highest-impact behaviours:

  1. Recognising and reporting phishing
  2. Using unique passwords + password manager
  3. Enabling MFA
  4. Verifying unusual requests

If you get those four things right, you've eliminated 80% of your human risk.

Everything else is optimisation.

And if you want to learn more about building effective security programs, check out our guide to phishing simulation training — because that's where most security awareness programs start (and often fail).

Mathew Clark
Founder, SecureInSeconds
Currently: Redesigning our own training program based on everything I just wrote (physician, heal thyself)

Further Reading: