Security Training: From Checkbox to Culture

Employees participating in an interactive cybersecurity training workshop

Why Traditional Training Fails

Most organisations have some form of security training. An annual e-learning module, a certificate to print out, a checkbox to tick. Yet human errors continue to cause incidents.

The problem isn’t that training doesn’t work. The problem is how we do it.

The Insight: Security isn’t a knowledge problem — it’s a behaviour problem. Everyone knows not to click on suspicious links. Yet we still do it. Training must change behaviour, not just add knowledge.

NIS2 Training Requirements

Article 21.2i — Staff Training and Awareness:

Organisations shall take appropriate measures for training and awareness among staff.

Article 20.2 — Management Training:

Management (board, CEO) shall undergo training to be able to:

Identify risks
Assess cybersecurity measures and their impact
Monitor implementation

Implication: Training is not optional. But the purpose is behaviour change and risk management — not certificates.

Modern Threat Landscape for Training

Deepfakes and AI Fraud

CEO fraud with synthetic voice. Video calls with fake faces. Traditional training doesn't cover this.

MFA Fatigue

Attackers send massive MFA requests until the victim approves out of frustration. "Push bombing" authentication.

QR Code Phishing

Malicious QR codes on posters, in emails or physical locations. Harder to identify than regular links.

Social Engineering via Social Media

Attackers build relationships via LinkedIn or other platforms before attacking.

Business Email Compromise

Compromised or fake emails from "colleagues" with urgent requests.

Shadow AI

Staff upload sensitive data to AI tools without understanding the risks.

Building a Security Culture

Leadership Example Culture comes from the top. If leadership takes shortcuts, why should staff care? Management must demonstrate that security is important through their own actions.
Continuous Training Replace annual e-learning with short, regular sessions. 5 minutes every month beats 60 minutes once a year. Relevant topics based on current threats.
Simulated Attacks Phishing simulations, vishing tests, physical penetration tests. Reality is the best teacher. Follow up with training — not punishment.
Positive Reinforcement Reward correct behaviour. Highlight those who report suspicious emails. Avoid shame and blame — it leads to incidents being hidden.
Measurement and Follow-up Track effectiveness. Are click rates dropping? Is reporting increasing? Are incidents decreasing? Adapt the programme based on data.

Phishing Simulations That Work

Do this:

Make simulations realistic — based on real threats to your industry
Vary types: email, SMS, QR codes
On click: immediate training, not just “you clicked wrong”
Positive feedback to those who report
Track trends, not individuals for punishment

Avoid:

“Gotcha” mentality
Public shaming
Unrealistic scenarios
No follow-up training
Using results for punishment

Measuring Effectiveness

Indicator	Description	Target
Click Rate	Percentage clicking on simulated phishing	Declining trend
Reporting	Number of reported suspicious emails	Increasing trend
Incidents	Incidents caused by human error	Declining trend
Training Completion	Percentage of staff completing training	>95%
Knowledge Tests	Results on knowledge assessments	>80% correct

Management Training

NIS2 specifically requires management training. Content should cover:

Threat landscape and current risks
Organisation’s security status
Management responsibilities under NIS2
How to assess security measures
What happens during incidents
How to read security reports

Format:

Shorter, focused sessions
Reality-based examples
Time for questions and discussion
Regular refreshers

Common Mistakes

Once a Year is Enough

No, it isn't. Behaviour change requires continuous exposure and reinforcement.

Same Training for Everyone

Developers, accountants and management have different needs. Tailor content to role and risk.

Scare Tactics

"Click this and you're fired" creates fear, not culture. People hide mistakes instead.

No Follow-up

Training without measurement is meaningless. How do you know if it's working?

Practical Tips

Make it Relevant

Use examples from your industry. “This happened to a competitor” is more effective than generic scenarios.

Keep it Short

Microlearning beats hour-long sessions. 5 minutes focused is better than 60 minutes inattentive.

Celebrate Success

Highlight teams that report threats. Positive reinforcement works.

Learn from Incidents

When something goes wrong, use it as a learning opportunity (without blame). Real examples stick better.

How Securapilot Can Help

Securapilot supports your security training:

Policy Management — Distribute and track approval
Training Tracking — Who has completed what
Incident Management — Learn from real incidents
Reporting — Status for management
Documentation — Evidence of completed training for regulators

Book a demo and see how we can support your security culture.

Frequently asked questions

Why doesn't annual security training work?

Once a year isn't enough for behaviour change. People forget quickly. The threat landscape changes. Training must be continuous and relevant to make a difference.

What does NIS2 require regarding training?

NIS2 Article 21 requires organisations to take measures for staff training and security awareness. Management must specifically undergo training to be able to assess risks.

Are phishing simulations effective?

Yes, when done properly. They should be realistic, followed by immediate training upon clicking, and be part of a broader programme — not an isolated 'gotcha' exercise.

How do we measure training effectiveness?

Click rates on phishing simulations (trend), reported suspicious emails, number of incidents caused by human error, knowledge test results. Trends are more important than absolute numbers.

#training#security-culture#awareness#NIS2#phishing#human-risk