Security awareness training is essential for any business trying to protect its data and assets from potential cyber threats. Putting together a program isn’t that hard, technically, but making it successful can be very tricky. 

Without paying careful attention to certain aspects of an awareness program, employees will become unengaged, or even rebellious. This will clearly lead to more vulnerable employees, and ultimately an unsuccessful program. Five things will help you prevent this from happening:

  1. Executive Buy-In
  2. Customization
  3. Continuity 
  4. Positive Reinforcement
  5. Re-assessment 

Let’s dive into what each of these things entails and how you can achieve them to help your security training.

1 – Executive Buy-In

The first step towards creating an effective security awareness training program is obtaining executive buy-in.

The key to a good security awareness program

"It’s been a “super-fantastic” experience to see people learning and talking about security threats."

For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

Without the strong support of the top tier of management, the program may never get off the ground. Executive buy-in will ensure that everyone within the organization is on board with the program and understands its importance. 

Executives can sometimes surprise you when asked, by providing additional resources and knowledge about their vision and perceived barriers to success. When they properly understand the purpose and goals of the program, executives will be more likely to encourage employee engagement in the program. 

I have done several consulting projects to help companies build programs, and the most important thing I’ve done in each one is to hold “senior leadership interviews”. This helps you understand what executives believe should be included in the program and what the barriers were to their employees fully accepting previous programs or change initiatives in security or other areas. 

So, before even beginning to create a security awareness training program, make sure you talk to those at the highest level first. Bring to the table important questions like:

  • What do you expect to be in a cyber security program?
  • What did your previous training look like?
  • What do you feel didn’t work in previous programs?
  • What is your biggest cyber security concern?
  • Would you be willing to contribute personal stories or interviews in future?

Sharing case studies of look-alike companies can also help the top executives understand why it’s crucial to have not just any security program, but a successful one.

2 – Customized Training

 A successful security awareness program must be tailored to both your industry and, as much as possible, to the employee audience. Different industries have different risks associated with them, so your program must address those specific risks appropriately. 

For example, a tech start-up will have way different requirements than a large education institution. The start-up will want to prioritize role-based security topics, cloud-based attacks, and supply chain attacks. On the other hand, a university may focus more on basic phishing, social engineering, and ransomware. 

Additionally, employees have different needs when it comes to understanding cybersecurity concepts. People in different roles may be dealing with more critical information those in than another. Employees who use many web applications will be dealing with more login credentials, while others may be working in different locations with different physical security considerations. Tailoring your training materials to meet different employee environments helps ensure that all employees better understand exactly what they need to do to maintain a secure environment within their workplace.

A screenshot of a security awareness training program

Click Armor makes it easy to create customized situations based on your industry, risks and your employee’s daily tasks. By practicing real-life situations, employees can recognize threats easier. Book a call with us today to learn more. 

3 – Continuous Security Tests

Imagine attending one “self-defense” lesson and being expected walk through dark alleys all year. Unrealistic, right? So, why are we giving our employees one-off yearly training and expecting them to spot hackers whenever they arise, and with different attack methods? 

A one-time security awareness training session is not enough for an effective security awareness program; instead, employees need safe and regular training to ensure that they understand how to keep information and systems safe online at all times. 

It may seem unlikely that employees will want to engage with such a frequent program. But it can be done through regular gamified challenges and leaderboards. By making lessons shorter, but more fun, you can engage them more frequently, and employees are more likely to remember what attacks will look like. You can also update your training to reflect current events or tasks that your employees are doing so they can apply them to their daily lives.      

The leaderboard of a security awareness training program


4- Positive Reinforcement – NOT Scare Tactics  

Positive reinforcement beats punishments and scare tactics, always. Employees who feel scared or overwhelmed by the prospect of learning about cyber attacks may become disengaged from the training process due to their fear or paranoia. This will lead to an incomplete understanding of proper security practices which could then lead to lapses in safety protocols that could put your organization at risk for a significant breach in the future.

Instead, focus on teaching employees short, concise messages about “why cyber security matters to your business” and how they can benefit from taking appropriate measures when using technology within their workplace environment. This will be much easier if you have the executive buy-in from tip #1 above. Bonus points if your executives are already encouraging and exemplifying this behavior! (But that may take some time.)

With gamified training, a leaderboard is a powerful thing when it has the right attributes. Some may say “I’m not a gamer, so this won’t motivate me”, but I’ve learned that nearly everyone cares whether or not they are in the top half of leaderboard rankings. 

Seeing themselves in the bottom half of the leaderboard can also encourage employees to complete and even repeat training to improve their self-esteem. But nobody likes to be shamed by having their poor performance on the leaderboard revealed.

It can be very motivating to create an in-office competition to encourage people to get to the Top Ten on the board. This type of approach builds a stronger security culture where people talk about the program in casual conversations. That’s when you see real results. 

5- Re-assessment of participation, proficiency and culture  

Regular re-assessment is necessary for any successful security awareness program, as it helps measure how well employees have been able to retain information learned over time. 

Schedule times for periodic assessments of knowledge. If you use a continuous program like Click Armor, this will be easy. You can simply schedule regular gamified assessments, and check in on the data of your employees. You can also see how they have been participating in their recurring challenges. 

Gathering data from multiple sources is key. Don’t expect that you can simply run live phishing simulations every month and achieve a strong security culture. Gamified challenges and assessments provide different dimensions of feedback on the program. You can also collect opinions from employees (ideally from within the gamified lessons), and assess other aspects of how technology used by employees, as well as management policies and communications are impacting employees.

If you notice training is not getting done, then it’s time to change your reinforcement strategies. If you notice it is getting done, but not properly, then it might be time to change the customization of your training so your employees can better understand. 


Putting it all together for the best security awarness training

A successful security awareness program must include all five components discussed above – executive buy-in, customization (to industry & employee environments), continuity, positive reinforcement (NOT scare tactics) and re-assessment – for it to be effective at helping protect against potential cyber threats facing organizations today. 

A strong security awareness program provides additional layers of protection against malicious actors looking to exploit weaknesses that expose information and systems. With these five essential components in mind, businesses can create a strong, sustainable program that is ultimately an enabler for securely achieving the business’s core mission and goals.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.