How to Build a Security Awareness Culture (Not Just Complete the Training)
Security awareness programmes are one of the most consistently over-invested and under-effective components of security spending. Organisations commit to annual training modules, track completion rates, report to the board that 94% of staff have completed the programme, and then discover that the same phishing techniques that were covered in the training are still working against their staff twelve months later. Completion is not the same as capability. The training has been done. The behaviour has not changed.
The gap between completing a training module and actually behaving differently in a moment of uncertainty is significant and well-documented. People do not make poor security decisions because they lack information. They make them because they are distracted, under time pressure, or in a social context where raising a concern feels awkward. A training module that tells people phishing exists does not address any of those conditions.
What Awareness Training Actually Achieves
Training is not useless. It establishes a shared vocabulary and a baseline understanding of the threats that exist. It also satisfies certain compliance requirements and provides a documented record that the organisation has taken reasonable steps to educate staff. These are legitimate purposes, but they are not the same as building a security culture. Understanding what training can and cannot achieve is the starting point for designing a programme that does both.
The most useful thing a training programme can do is not convey information. It is create permission to ask questions and report concerns. Organisations where staff regularly report suspicious emails, flag unusual requests from suppliers, and ask IT before clicking on something unexpected have a security culture. Organisations where staff complete training and then avoid reporting incidents because they fear blame do not, regardless of completion rates. The training content is less important than the organisational norms it is embedded in.
Building Norms Rather Than Programmes
Security norms are built through consistent signals from leadership, not through training content. When the CEO takes a phishing simulation seriously rather than dismissing it as a distraction, that signal propagates through the organisation. When a staff member who reports a suspicious email receives a prompt, positive response, the reporting behaviour is reinforced. When an incident is disclosed by someone who made a mistake and they are treated with respect rather than blamed, the likelihood of future disclosure increases significantly.
The opposite is also true. When leadership bypasses security controls because they create friction, that signal propagates too. When a staff member who reports an incident is treated as the person responsible for the breach rather than the person who identified it, reporting behaviour declines. When security is communicated primarily through warnings and consequences rather than through genuine engagement, it becomes associated with compliance obligation rather than shared responsibility. These dynamics are set by leadership behaviour, not by the content of training modules.
Measuring Culture Rather Than Activity
The metrics that matter for security culture are different from the metrics that matter for training compliance. Completion rates are an activity metric. The metrics that indicate cultural change include: the rate at which staff report phishing simulations versus click on them, the time from identification to reporting of actual security incidents, the number of informal security questions raised to IT or security outside of formal processes, and the results of targeted assessments of security behaviour in specific contexts.
Phishing simulation programmes are a useful cultural indicator when run correctly. The point is not to catch staff failing. It is to measure baseline behaviour, provide immediate feedback at the moment of failure rather than in a retrospective training module, and track the trend over time. A declining click rate alongside an increasing report rate is evidence of cultural change. A stable click rate with increasing completion of the remediation training is evidence of activity with no cultural impact. The distinction matters for how you design your response.
Practical Improvements for Existing Programmes
If you are running an annual training module with a completion target and nothing else, there are several practical additions that will improve outcomes without significant investment. First, move phishing simulations to a continuous low-volume programme rather than periodic batch exercises. Regular low-stakes simulations with immediate feedback are more effective at building recognition skills than occasional large campaigns. Second, brief managers on the security team's priorities quarterly, because managers are the most credible communicators of expectations to their teams. Third, create an easy, low-friction reporting channel and actively acknowledge reports. The ease and responsiveness of reporting directly affects reporting rates.
Fourth, review the content of your training against the threats that are actually targeting your organisation. Generic awareness training that covers topics your organisation does not face dilutes the signal. Training that addresses the specific techniques being used against organisations in your sector and of your size is more relevant and more likely to change behaviour. We work with clients to design awareness programmes that are calibrated to their actual threat environment, their workforce, and the cultural norms they are trying to build, rather than around a generic module library.
To discuss security awareness and culture programmes for your organisation, contact Cyberlinx at info@cyberlinx.com.au.
Related Articles







