30-06-2025
Rethinking Security Training With A Human Risk Management Approach
Masha Sedova, VP of Human Risk Strategy, Mimecast.
What's the one area in cybersecurity that is overdue for change? It's security awareness training.
After three decades of underwhelming results, it's clear that security awareness programs haven't kept up with today's threat landscape. Human error remains the leading cause of data breaches, with Mimecast reporting that 95% of data breaches involve user mistakes. While those numbers remain stubbornly high, conventional training methods fail to instill lasting behavioral change.
If we want security awareness to truly protect organizations, we need to rethink everything—from how we structure training, to the metrics we track, to what 'success' actually looks like. It's time to stop measuring attendance and start measuring action. By focusing on adaptive learning, personal accountability and measurable outcomes, we can evolve security awareness from a compliance checkbox into a core defense mechanism.
Why Legacy Training Fails To Deliver
For years, security awareness relied on outdated tactics like annual training modules and phishing simulations. These tools often create a false sense of progress while leaving companies exposed when behavior doesn't shift.
The problem isn't just outdated content—it's one-size-fits-all structure. Most organizations deliver the same training to every employee, regardless of job role, risk exposure or history of security missteps. Expecting uniform outcomes from workers with vastly different responsibilities is both unrealistic and ineffective.
Worse, the metrics used to assess these programs are often meaningless. Completion rates and engagement scores track participation, not progress. It's time to prioritize behavior and results, not just check-the-box compliance.
What Human-Centric Training Should Look Like
To truly reinvent security awareness, organizations need to move from static, one-dimensional programs to those that empower employees and respond to evolving risks. Grounded in a human risk management framework, this new approach should center on three pillars:
The calendar-based model no longer works. Cyberthreats evolve rapidly, and training must evolve with them—meeting employees at the point of risk.
Just-in-time learning is essential. If an employee clicks on a risky link, a prompt that explains the mistake and offers safer alternatives helps cement the lesson when it matters most.
Threat-responsive updates are just as vital. Security programs should shift with threat levels—deploying phishing alerts during surges or ransomware simulations when relevant. Even simple interventions, like monthly nudges, help keep good habits top of mind.
Not all employees face the same risks. Senior leaders are often targeted by spear-phishing. Developers may encounter credential-harvesting threats. Yet most training programs treat all employees the same.
A more tailored approach improves both relevance and retention. This can be achieved by taking the following steps:
• Categorize employees by their risk level (low, medium, high) based on job role, access level and past behavior.
• Use real user data to shape future training and deliver targeted feedback or additional simulations for those who have fallen for phishing attempts.
• Create transparent risk profiles that show employees how their behavior compares to peers (e.g., "You are two times more likely than your peers to click a phishing link.") to promote self-awareness.
Customization doesn't just drive better results. It shows employees that the training applies directly to their day-to-day challenges—and empowers them to reduce risk on their own.
One of the biggest shifts needed is how we define success. Vanity metrics like completion rates won't cut it. Focus instead on data points that reflect behavioral change and reduced risk outcomes, including:
• Reduced successful phishing attacks over time
• Improved password hygiene (e.g., reduction in reused or weak credentials)
• Decreased risky activities, like installing unapproved apps or mishandling sensitive data
• Tangible economic benefits, such as lower remediation costs or fewer downtime events
Behavior-based metrics are not only more meaningful—they drive continuous improvement by showing what's working and where to focus next.
Creating A Culture Of Accountability
Modern security awareness must build trust, not fear. Employees shouldn't be punished into compliance—they should be brought into the process as active defenders.
Give them visibility into their own progress. Simple dashboards or comparative banners (e.g., 'You're in the top 10% for secure behavior!') drive motivation and clarity.
Recognition matters too. Celebrate employees who report phishing attempts or avoid traps. Positive reinforcement builds morale—and reinforces the right habits.
When employees feel invested and informed, participation turns into ownership.
Reframing Awareness As Human Risk Management
Security awareness is just one part of a broader human risk strategy—but it's a high-impact opportunity hiding in plain sight. The poll results are clear: Industry frustration is high and legacy methods no longer serve.
By shifting toward adaptive, personalized and outcome-based training, organizations can finally address the human vulnerabilities that attackers exploit most. When done right, security awareness doesn't just educate—it protects.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
