Security Awareness Training: What Actually Changes Behaviour

I’ve sat through plenty of security awareness training. Hour-long videos. Boring slideshows. Compliance checkboxes.

Most of it doesn’t work.

People complete the training, pass the quiz, and go right back to clicking suspicious links. The behaviour doesn’t change.

Here’s what I’ve learned about what actually works.

Why Most Training Fails

It’s boring: Death by PowerPoint. Monotone narration. Outdated examples. People zone out and retain nothing.

It’s too infrequent: Annual training once a year means people forget everything by month three.

It’s too theoretical: Abstract concepts about security don’t translate to daily behaviour.

It’s not relevant: Generic training doesn’t address the specific threats employees actually face.

It’s punitive: When training is punishment for clicking a phishing test, people resent it rather than learn from it.

It doesn’t measure behaviour: Completion rates don’t equal changed behaviour.

What Actually Works

Short and frequent beats long and rare:

Instead of a two-hour annual session, try:

  • 5-minute monthly modules
  • Weekly security tips
  • Just-in-time reminders

Memory works better with spaced repetition. Regular touchpoints build habits.

Relevance matters:

Generic “don’t click suspicious links” is less effective than “here’s an example of the exact kind of phishing our company received last week.”

Tailor training to:

  • Your industry
  • Your actual threat landscape
  • Examples from your own organisation (anonymised)

Make it interactive:

Reading slides is passive. Interactive training works better:

  • Scenario-based exercises (“What would you do if…”)
  • Gamification (points, leaderboards, if that fits your culture)
  • Discussion sessions
  • Hands-on exercises

Simulated phishing:

The most effective awareness intervention is simulated phishing:

  • Send realistic phishing tests
  • When someone clicks, immediate educational feedback
  • Track improvement over time
  • Make it learning, not punishment

Platforms like KnowBe4, Proofpoint Security Awareness, and Cofense make this straightforward.

Positive culture, not fear:

Security training based on fear creates anxiety and avoidance. Training based on empowerment creates engagement.

Good messaging:

  • “You’re the most important defence we have”
  • “Reporting suspicious emails helps protect everyone”
  • “It’s okay to be cautious and verify”

Bad messaging:

  • “If you click, you could destroy the company”
  • “This could cost you your job”
  • “Don’t be stupid”

The Content That Matters

Phishing recognition (still number one): Most attacks start with phishing. Training on recognition remains essential.

Key points:

  • Check sender carefully (not just display name)
  • Be suspicious of urgency
  • Verify unusual requests through other channels
  • Report rather than delete suspicious messages

Password hygiene:

  • Use password managers
  • Unique passwords per account
  • Enable MFA everywhere
  • Don’t share passwords

Physical security:

  • Lock screens when stepping away
  • Clean desk policies
  • Visitor awareness
  • Secure document disposal

Social engineering:

  • Phone-based attacks (vishing)
  • Pretexting and impersonation
  • What information shouldn’t be shared

Remote work security:

  • Secure home network basics
  • VPN usage
  • Public WiFi risks
  • Physical security of devices

Incident reporting:

  • How to report suspicious activity
  • That reporting is encouraged, not punished
  • What happens when they report

Tailoring for Roles

Not everyone faces the same risks.

High-risk roles:

Finance and accounting:

  • Business email compromise
  • Payment fraud
  • Supplier impersonation

Executives:

  • Whaling (executive-targeted phishing)
  • CEO fraud
  • Voice/video deepfakes

IT staff:

  • Credential theft targeting
  • Supply chain attacks
  • Social engineering for access

Customer-facing staff:

  • Customer impersonation
  • Data requests
  • Social engineering via customer channels

Tailor training to role-specific threats.

Measuring Effectiveness

Bad metrics:

  • Training completion rate
  • Quiz pass rate
  • Hours of training completed

These tell you who sat through training. They don’t tell you if behaviour changed.

Better metrics:

  • Phishing simulation click rate (should decrease over time)
  • Time to report suspicious emails
  • Number of incidents from human error
  • Employee confidence in security knowledge (surveys)

Track phishing click rates monthly. A good program should see meaningful improvement over 6-12 months.

Building the Program

Phase 1: Baseline

  • Establish current phishing click rates
  • Survey current security awareness levels
  • Identify highest-risk groups

Phase 2: Foundation

  • Core security training for all employees
  • Simulated phishing program begins
  • Monthly security communications

Phase 3: Refinement

  • Role-specific training modules
  • Response to simulation results
  • Continuous improvement based on metrics

Phase 4: Culture

  • Security integrated into onboarding
  • Regular security discussions in teams
  • Recognition for good security behaviour
  • Incident reporting normalised

Platforms and Tools

Comprehensive platforms:

  • KnowBe4 (market leader, extensive content library)
  • Proofpoint Security Awareness Training
  • Cofense PhishMe
  • SANS Security Awareness

Simulated phishing focused:

  • Gophish (open source, free)
  • Curricula (engaging, less corporate)
  • Hoxhunt (gamified approach)

Video-based:

  • Ninjio (story-based videos, Hollywood production quality)
  • Infosec IQ

Many IT providers and security firms bundle training into their services. Ask about what’s available.

Working with Your Team

Getting buy-in:

  • Frame as protection for employees personally, not just company
  • Leadership should visibly participate
  • Celebrate improvements, don’t punish failures

The HR partnership: Security awareness should integrate with:

  • Onboarding (new hire training)
  • Performance (maybe, carefully - don’t over-punish)
  • Offboarding (remind people of obligations)

Manager involvement: Managers who reinforce training have more secure teams. Include them in the process.

When Someone Clicks

How you handle phishing simulation clicks matters.

Don’t:

  • Publicly shame people
  • Use as primary performance metric
  • Fire people for clicking
  • Create fear and anxiety

Do:

  • Provide immediate, gentle feedback
  • Offer additional training resources
  • Follow up personally with repeat clickers
  • Track trends to identify who needs help

The goal is learning, not punishment.

The AI Challenge

AI is changing security training in two ways.

AI-enhanced attacks: Phishing is becoming more convincing. Training needs to address:

  • Perfect grammar (no more “look for spelling mistakes”)
  • Personalisation at scale
  • Voice and video deepfakes
  • Sophisticated impersonation

AI-enhanced training: Some platforms now use AI to:

  • Generate realistic phishing simulations
  • Personalise training content
  • Identify employees needing additional support
  • Create relevant, timely content

Firms like Team400 can help design training programs that address AI-enhanced threats while leveraging AI for more effective delivery.

Beyond Training

Training alone isn’t sufficient. It needs to complement technical controls.

Training + email filtering: Training catches what filters miss. Filters catch what training misses.

Training + MFA: Even if credentials are phished, MFA provides a backstop.

Training + reporting mechanisms: Make it easy to report. A phishing button in the email client. Clear escalation paths.

Training + incident response: When incidents occur, use them as learning opportunities.

Budget Considerations

Rough costs (per user per year):

  • KnowBe4: $15-30
  • Proofpoint: $20-40
  • Cofense: $15-35
  • Gophish: Free (but requires setup and management)

Total investment includes:

  • Platform licensing
  • Administration time
  • Content customisation
  • Campaign management

For a 50-person company, expect $1,000-2,000/year for a solid platform, plus internal time.

Getting Help

Security awareness is one area where working with AI consultants Melbourne or similar specialists can add significant value.

They can:

  • Design programs tailored to your organisation
  • Implement and manage platforms
  • Conduct targeted training sessions
  • Measure effectiveness and refine over time

For businesses without dedicated HR or security staff, outsourced awareness management can be more effective than trying to run it internally.

The Honest Truth

Perfect security awareness is impossible. People will always make mistakes. The goal isn’t perfection.

The goal is:

  • Fewer people clicking malicious links
  • More people reporting suspicious activity
  • Faster recognition of threats
  • A culture where security matters

If your metrics improve over time and security becomes part of how people think, the training is working.

Final Thought

Security awareness isn’t about checking a compliance box. It’s about changing behaviour.

Short, frequent, relevant training. Simulated phishing with positive feedback loops. A culture that encourages reporting. Metrics that measure actual behaviour change.

That’s what works. Everything else is just PowerPoint.