What Is Security Awareness Training and Does It Actually Work?

December 12, 2023

Ask any organisation whether they have a security awareness training programme and the answer is almost always yes. Ask whether it is working and the answer becomes far less certain. Annual completion rates are reported, phishing click rates are tracked, and the box gets ticked. What rarely gets examined is whether staff are actually making different security decisions after the training than they were before it.

That gap between deployment and effectiveness is where most programmes fail. Security awareness training is not ineffective by nature. It is often ineffective by design, delivered in formats that prioritise compliance over comprehension and measurement over behaviour change. Understanding what the research and practice actually show helps organisations make better decisions about how to invest in it.

What Awareness Training Can Realistically Change

The core value of security awareness training is attention. People cannot recognise a threat they have never seen described. A staff member who has never heard of business email compromise is genuinely more vulnerable than one who has been shown what it looks like. At the most basic level, training creates a vocabulary and a set of mental models that people can use to interpret suspicious activity when they encounter it.

Training also changes reported behaviour in measurable ways when it is done well. Programmes that use realistic scenarios, reinforce learning through repeated exposure, and connect security decisions to real consequences specific to the person's role produce better outcomes than one-hour annual modules. The key word is "realistic." Generic content about clicking suspicious links does not prepare someone for a well-crafted spear phishing email that references their manager by name and uses the organisation's correct invoice format.

What Awareness Training Cannot Do Alone

Training does not fix a broken security culture. If staff see that security gets in the way of doing their jobs and that nothing happens when people bypass controls, training content will not override that environment. Behaviour follows incentives and norms, and training is only one input into both. An organisation where a manager routinely sends colleagues credentials via chat, or where password policies are widely ignored, has a culture problem that training alone will not resolve.

Training also cannot compensate for technical controls that are absent or poorly configured. The purpose of awareness training is to add a human layer to a defence, not to replace technical layers. If staff are receiving obviously malicious emails in their inboxes without any filtering or flagging, the training programme is being asked to carry too much weight. Awareness training and technical controls work together. Neither substitutes for the other.

What Programme Design Produces Genuine Behaviour Change

The research on behaviour change consistently points to a few design principles. Spaced repetition outperforms single annual events. Contextualised scenarios outperform generic content. Immediate feedback when someone makes a mistake outperforms post-event reporting. Positive reinforcement of correct behaviour outperforms punitive responses to failure. These principles are not complicated, but they are routinely ignored in programmes that prioritise cost minimisation over outcome quality.

Role-based content is another significant factor. Finance staff face different social engineering scenarios than IT staff. Executives are targeted through different channels than frontline employees. A programme that treats all roles identically is optimising for ease of delivery rather than effectiveness of training. The most effective programmes we design and deliver at Cyberlinx segment the audience, build scenarios relevant to each group, and vary the content and format to maintain engagement over time.

Measuring Whether Training Is Working

Completion rates tell you whether people sat through the training. They do not tell you whether anything changed. Phishing simulation click rates are more meaningful but are still a narrow measure. The metrics that indicate genuine behaviour change include incident reporting rates (do people report suspicious activity more often?), time to report (are they reporting faster?), and behavioural observations in simulations that test decision-making rather than just email clicking.

Effective programmes also check knowledge retention over time, not just immediately after training. A quiz passed on the day of completion means very little if the same questions produce different answers three months later. Building in scheduled reinforcement and re-testing at intervals gives a much more reliable picture of what has actually been retained and applied.

  • Annual one-off training sessions produce low retention and limited behaviour change.
  • Spaced, scenario-based delivery significantly outperforms single-event formats.
  • Role-specific content increases relevance and engagement.
  • Measurement should focus on behaviour, not completion.
  • Training works best as part of a broader security culture effort.

If you want an honest assessment of what your current awareness programme is actually producing, or you want to build something designed to change behaviour rather than tick boxes, get in touch with us at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
Cyber Awareness Training
Written by
Saaim Khan
Chief Innovation Officer
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?