What's wrong with Security Awareness?

Let's get in the weeds, shall we?

May 29, 2026

Oh boy, I mean, what isn't wrong with Security Awareness? Alright alright, that's not helping at all.

So, let's start here: When was your last Security Awareness Training? And what did you do during that time?

I don't mean, what the topic or format of the training was. I mean: What did you do, when the video ran in the silent tab on the second screen.

Or let's try it this way: How do you measure the success of your program? Completion rate on the videos on how bad spelling tips of the phishing mail? Click rates in the phishing simulations the trainee has way too much fun creating?

Ok, let me put some bits on that wire.

The Compliance

It starts at the decision. Many orgs implement some sort of security awareness program because they have to. Regulatory necessity or contractual demand by the cyber insurance; pick your poison. But nobody wanted to do it themself and took to different vendors for Web Based Training (WBT). The modules would be switched around only if you're lucky. How often? Oh, annually is plenty. Don't take that precious time away from those employees. There is money to be made.

Infosec already has the issue to create costs instead of revenue¹. But firewalls and email filters can provide cold hard numbers of victory over the hordes of adversaries. Ten bazillion blocked cyberattacks per minute can't be argued with. This awareness thing on the other hand does not provide these beautiful cold hard numbers in such an impressive way, so let's keep it minimal and the employees on the productive side of things.

This is compliant. And everybody is annoyed by it.

The Tech

It is easy to speak of expected behavior, when you know software very well. And I assume, it was easier before. For many people, whose occupation is not infosec (so, the vast majority of people), the differentiation between expected behavior of software, benign errors and malicious approach is not clear. It really doesn't help when legit software does weird stuff due to bad UX design or other. Or when a shipping company sends out the tracking link via tracking-[shipping-company].com. Use a subdomain for crying out loud!

And we cannot really expect people to know which software behavior is legit and which definitely is not. We should keep in mind that, again, most peoples occupation isn't tech, but accounting, marketing or legaling. And they have to keep up to date there as well. From their point of view, tech just has to work and do they get annoyed, when it doesn't. Yes, ransomware is bad, but …

And people are different. We mustn't expect all people to respond to out-of-the-box training and software of varying maturity the same way.

The Processes

I do like working with (C)ISOs. And I do like processes. Action and Omission. Do this, abstain from that. You want to do what? There's probably a policy for that. Look it up. But:

If the lips are talking and the feet are walking: watch the feet!

Processes that need legal assistance to apply to specific situations will only work when people have legal assistance in their everyday work.

The Culture

What happens when you get a phishing email? You report it, obviously. You clicked the link, though. And you always joke about people who click on links in obvious spam mails. Oh, surely noone will make fun of that. Oh, but your boss did cut home office for Alice because she failed a phishing test last year. Also the popup said, that Browser protection caught the attack. You just had to click the confirm button on the popup, hit win+r and Enter in order to unlock the browser again. And the SOC is heavily overworked. They probably won't investigate anyway.

And what happens when you notice your boss doing something against policy? You just just remind them of the correct process, right? Easy. But wait. Last week, when Bob pointed out something similar, he got a warning on his lunch breaks, despite doing them the same as everyone.

When the culture in the org doesn't provide a way to report own and others' detrimental actions and omissions without repercussion, reporting will be omitted. And worse. Or as Rich Greene puts it:

Systems that require perfect behavior will eventually fail.²

This applies to Phishing Simulations as well, so let's get to the last point for today.

The Metrics

How do we know, our security awareness program is working? Is it the completion rate of the annual mandatory WBT? What did you do during your last training again? Training completion rate won't tell us if users understand the threat, their role and their options. It doesn't even tell us if they completed the training, apart from technically.

How about click rate in phishing simulation? We'll see if they paid attention that way, right? Right? Again: Click rate doesn't tell us why they clicked (they "fell" for it, they misclicked, they caught the simulation and were curious, the whole office talks about it and they wanted to look at the teachable moment on the landing page) or if they even saw the mail. Some just create an inbox rule for the sender domain throw it right in the bin.

The focus on click results are often even matched with the demand by management to know the names of people who clicked, so they can receive a stern addressing. This especially shows a focus on the bad behavior. That's not going to improve culture, to say the least.

So, I'll leave you with this for the moment. Next time, I'll take you a step further on the solutions side of things.

Until then: Take care and bye bye.

If you're not an infosec vendor, MSSP or consultant, that is.

Plaintext with Rich - Why Security Fails When Everyone Is Right: https://www.youtube.com/watch?v=0Cb0bdI_Kew

What am I even doing here?

Layer 8½

I'm a Security Awareness & Culture Specialist in the making. I am here to let you participate on my journey to understand how people, processes and tech can work together to achieve better cybersecurity. He/Him