Security awareness managers can pull out all their tricks, but still struggle to train unmotivated employees in cyber security. These disengaged individuals, who don’t care to understand the potential effects of their actions, are a huge vulnerability to any organization. That’s why you should never give up on training them. Even just one weak link can lead to an unwanted breach.

Photo from UnSplash+ and Getty Images

Cybersecurity Awareness Training for ALL

Take proactive steps to invest in your business’s cyber resilience now to protect your organization from costly data breaches and disruptions. Start easily with our Quickstart Training Bundles. To learn more CLICK HERE.

• Unmotivated waterfall: If other employees see that an employee can not complete training and get away with it, all of a sudden you’ll have a waterfall of unmotivation. Once one person expresses negative emotions or “That doesn’t even matter!” the rest will latch on and start copying their actions. Stop the waterfall at the top before it gets too big to control and ruins your security culture. 

How to spot those who “don’t care”

Every employee who doesn’t complete your training isn’t an “I don’t care about security” employee. There are a lot of reasons someone might not do it: They don’t have time, they feel overwhelmed, they forgot, they don’t like it, or they don’t understand. The employees we are specifically targeting are those who don’t care to understand the fragility of the security of an organization and don’t believe it’s part of their role to help. Here are some other red flags that someone is in the “I don’t care” category:

• Negative or zero security cooler talk: Listen carefully to the way your team members talk about security. You’ll be able to find these employees by looking for eye-rolls or disengagement anytime security is brought up. They might also talk negatively about security and the security team. Look out for more than normal complaints. Not just, “I hate phishing tests”, but “the security team is so annoying!” instead. 
• Ignoring reminders and zero participation: Not everyone in your organization will actively engage with your security Slack messages or optional workshops, but stay on the lookout for anyone who actively ignores direct messages from you and constant reminders to complete training. 

The “I don’t care employees” will show extreme resistance to any training, messaging, or workshops given by the security team. You’ll likely never be in contact with them as they’ll avoid you at all costs. 

How to train unmotivated employees in cyber security 

Make training as enjoyable as possible 

Stop employees from “not caring” by reducing the resistance to training by making it fun. The key to making training more enjoyable for users is to make modules short and gamified and to use positive reinforcement. This will not only ease the pain for the disgruntled employees doing the training but will encourage positive conversations. 

For example, if one employee says to another, “I just beat you on the leaderboard! You’ll never catch me,” the unmotivated employee may overhear and have their interest piqued. If they hear enough game-talk about the training, they may experience enough FOMO (Fear Of Missing Out) that they check out the training and realize it’s more fun than they thought. 

Have 1-on-1 conversations

Many unmotivated employees don’t believe that they can have an impact on the security of an organization. They think they are just one person out of hundreds, so why would their participation matter? 

Sit down with the unmotivated employee 1-on-1 and have a conversation about security. This face-to-face and individualized interaction will help them feel special and make them realize the impact that their actions can have on the organization. Explain how employees are the front-line protection to security and how important even one employee is. 

Research what rewards they want 

The thing about unmotivated employees is that it seems like not even the best rewards can motivate them. However, have you tried asking them what could get them motivated to complete security training? 

Many organizations think gift cards or pizza parties are the easiest way to encourage employee participation. But those might not be motivating to the employee at all. They may prefer an afternoon off or a small bonus. Communicate with all employees to find out how they are best motivated, instead of wasting your resources on rewards that no one enjoys. Once you find out their wants, you can advocate for them to the C-Levels. 

Make a group goal 

Nothing motivates people like peer pressure! All jokes aside, some employees might feel more motivated to complete training if their team’s success depends on their participation. Not only will they feel like they owe participation to their peers, but they may also receive words of encouragement from the most motivated team members. 

There are two ways you can create group goals. The first would be creating a group goal that is only given once everyone in the group completes training. So, the Digital Marketing team only receives a paid lunch of their choice when the whole team completes training. The second is a competition that is team-based. So, the team with the highest score receives the pizza party. 

Encourage cyber security champions

Another way to encourage team motivation is by creating Security Champions. Security Champions are individuals across the organization that you select to encourage a positive security culture. 

By tasking your most motivated employees to spread their positive security attitude around the organization, they may be able to influence their less motivated peers. If an unmotivated team member hears another employee talking so highly about the importance of security, they may be more easily influenced than hearing it directly from the security team. 

You might have to depend on the “sticks”

Even with the most fun security training and positive team members, you may still find some stragglers who refuse to care about security. Unfortunately, this is when you will have to use negative reinforcements (a.k.a. “sticks”). 

It’s a natural instinct to want to stay positive, but there are boxes you need to check to keep your organization safe. If you’ve tried all the “carrots” and the employee still doesn’t care, don’t feel bad for starting negative reinforcement procedures. 

To start off, they don’t have to be extreme. It can start with a simple sit-down warning from their boss. This stern conversation may motivate them enough to comply. If not, you’ll need to escalate to an automatic leave or termination warning. Remember that your top priority has to be keeping your organization safe. 

Get leadership involved

The final step is getting your leadership involved. When you have tried all other options, there becomes a point when you cannot control employees and they become a threat to your organization. Know that you should not be carrying the pressure of an unmotivated employee if you’ve already exhausted all of your options. 

Training employees who lack motivation in cybersecurity is a challenging but essential task. By making training engaging, understanding employee motivations, and empowering champions organizations can transform apathetic employees into active participants in their cybersecurity efforts. Eventually, you may need to lean on negative reinforcement and support from your leadership to get things done. But, ultimately fostering a culture of security awareness is not just about mitigating risks—it’s about ensuring the overall resilience and success of the organization.