What makes cyber security training boring and how to improve it

Cybersecurity training is essential, but let’s face it—it often ends up being dull and forgettable. In our latest panel discussion, security experts tackled this challenge head-on, sharing their insights on why security programs become boring, the consequences of disengagement, and how to make training both fun and effective. 

Meet our panelists

• • Fletus Poston (FP) – A security champion, Fletus is a Senior Manager of Security Operations at CrashPlan®. CrashPlan® provides peace of mind through secure, scalable, straightforward endpoint data backup for any organization.
  • Jim Guckin (JG) – Jim is a 20-year veteran in the IT and information security field. He has worked for or with many different organizations in many different industries and is currently the SVP of Digital Security Operations at Customers Bank. 
  • Thea Mannix (TM) – Thea is a neuroscientist in the cyberspace and is currently the Director of Research at Praxis Security Labs. 
  • Chris Ellis (CE) – Chris is a seasoned Cybersecurity content creator who transforms complex technical concepts into accessible learning experiences. 

And myself, Scott Wright (SW), CEO of Click Armor, the sponsor for this session. Now, let’s get to our discussion on why security training can become boring: 

How does cyber security training become boring?

FP: A lot of security training suffers from the curse of knowledge—assuming people know more than they do. We also rely on outdated statistics that no longer resonate with users. And the biggest issue? Training is delivered quarterly or annually instead of being timely and relevant. Security awareness needs to be a continuous process, not something employees are forced to endure once a year and then forget about until the next cycle.

TM: From a neuroscience perspective, the brain filters out information that isn’t personally relevant. If people don’t see how security impacts them, they won’t engage. Additionally, cognitive overload, too much complexity, causes people to tune out. The brain is designed to conserve energy, so when information feels irrelevant or too difficult to process, it will discard it.

CE: Security is inherently technical, which makes it difficult to simplify. One way to combat this is by making training interactive. Getting people involved in discussions and short exercises instead of just lecturing. I’ve seen the power of engagement when training includes hands-on activities, real-world scenarios, or gamified elements.

What happens when security is boring?

JG: People tune out. I’ve been guilty of clicking through security training without paying attention, and I work in cybersecurity. If it’s not engaging, people won’t absorb the message, which defeats the whole purpose. I’ve seen employees in other industries do the same thing. Just trying to get through it as quickly as possible with no real learning happening. When people treat security awareness like a box-checking exercise, they don’t apply any of it in real-world situations.

SW: When people are disengaged, they don’t develop security habits. Phishing emails and business email compromises slip through because employees don’t think critically about what they’re clicking. This makes organizations vulnerable.

FP: Security is everywhere—from the time you wake up to the time you go to bed. But when training is boring, people don’t make that connection. Instead of slowing down and evaluating risks, they rush through tasks, increasing the chances of a security incident.

How can we balance serious security topics with having fun, without losing the key message?

FP: Understand your company culture. If your organization is conservative, memes and cartoons may not work for everyone. But for more relaxed teams, humour and creative content can make a huge difference. But make sure whatever you do share with them is not just humorous and funny, but that it’s going to burn in and it’s going to resonate so they can apply it later on. 

CE: Some people think gamification means ‘not serious,’ but that’s not true. Gamified training increases engagement without losing the core security message. It’s about making learning feel less like a chore. The key is finding a balance. Security training should be engaging, but also feel valuable. If people see it as just another game, they might not take it seriously. But if it’s structured correctly, gamification can enhance the learning experience while reinforcing real security behaviours.

TM: Humor is powerful, but not everyone is comfortable using it in training. If that’s the case, use surprise instead, like storytelling or an unexpected example. The brain remembers unexpected things, so try out a shocking statistic, an unusual analogy, or even a sudden shift in format can capture attention and make learning stick. 

How has gamification worked for you and your security program?

CE: I’ve been using gamification in training for over 25 years. Back in the day, I ran Jeopardy-style quizzes for new hires, and everyone looked forward to them. It made them pay attention to the lessons so they could do well in the game. I’ve seen similar results with more modern training platforms, adding competition and incentives keeps people engaged and motivates them to improve their security awareness.

FP: We’ve used Capture the Flag events in security awareness training. But instead of technical challenges, we put flags in policy documents and we force employees to find key security information in real-world scenarios. It’s been a great way to get people to engage with security policies. When employees actively search for the right answers, they’re more likely to remember them. 

TM: Storytelling is an underrated yet effective form of gamification. People naturally retain information better when it’s part of a narrative. A well-crafted security story can be just as engaging as a game. Think of it like a detective novel. If employees have to ‘solve’ a security challenge by following a story, they’re more likely to remember what they learned. Security shouldn’t feel like a lecture, it should feel like an experience.

The key takeaway? Security training doesn’t have to be boring. By making it interactive, relevant, and even fun, organizations can ensure that employees actually absorb and apply security lessons. Whether through gamification, storytelling, or just making training more relatable, the goal is to keep people engaged. Because engaged employees reduce risk.–

Want to dive deeper? Watch the full panel discussion HERE.