Cyber Awareness Training: How to Actually Change Behavior (+ Reduce Risk)

According to Cybercrime Magazine, cybercrime will cost the world $9.5 trillion USD in 2024.

That’s $255,000 every second.

Meanwhile, 82% of data breaches contain the human element.

This makes cybercrime a unique threat in which people are both the cause and the solution.

In this guide, we'll look at the flaws of typical cyber awareness training, why behavior change is relevant for cybersecurity and how you can start to carry out training that genuinely changes employee behavior.

‍

How does cyber awareness training typically work?

Your standard cyber awareness training program usually involves a series of educational sessions designed to inform employees about cybersecurity risks and best practices.

Here’s a breakdown of how traditional cyber awareness training typically functions:

Scheduled training sessions: Organizations will usually schedule periodic training sessions where employees are required to attend workshops or webinars. These sessions cover a broad range of topics including password security, recognizing phishing attempts, safe internet practices, and data protection guidelines.

Assessment tests: Post-training assessments or quizzes are used to evaluate the understanding and retention of the information provided. Employees are tested on the key concepts and practices taught during the training sessions.

Policy acknowledgment: Employees might be required to sign acknowledgments or certifications confirming they have received, read, and understood the organization’s cybersecurity policies and training materials.

What are the limitations?

While traditional cyber awareness training has been a standard approach for years now, it has several limitations that can impact its effectiveness in addressing modern cybersecurity threats.

Lack of engagement: Traditional training methods can be monotonous and fail to engage employees effectively. Employees often feel that it disrupts their regular workflow.

Infrequent training: Cyber awareness training sessions are often scheduled periodically, which means employee behavior doesn't change and the training sessions aren't up-to-date with the latest threats.

One-size-fits-all: Traditional training tends to follow a one-size-fits-all approach, providing the same content to all employees regardless of their specific roles, responsibilities, or levels of existing knowledge.

Reactive (rather than proactive): Traditional training often focuses on compliance and checking off mandatory training requirements rather than fostering a proactive security mindset.

Limited real-world application: Static and theoretical content does not always translate well to real-world situations. Employees may struggle to apply what they’ve learned when faced with actual cybersecurity threats, as traditional training often lacks practical, hands-on components.

No continuous reinforcement: Without continuous reinforcement and regular updates, the knowledge gained from traditional training can quickly become outdated. Cybersecurity threats evolve rapidly, and employees need ongoing education to stay current with the latest tactics and defenses.

Lack of personalization: Traditional training does not account for the varying levels of cybersecurity knowledge among employees. Nor does it take i

Insufficient training leads to errors

Training that isn't up to scratch won't equip employees with the knowledge and skills needed to handle real-life situations.

Below are the key types of errors you'll likely see:

Skill-based errors: These will occur during routine activities when attention is diverted from a task. When a skill-based error happens, people generally have the right skills to correctly perform the task, but they fail to do so.

Example: An employee accustomed to handling numerous email attachments daily might accidentally open a malicious attachment while multitasking, leading to a malware infection.

Decision-based errors: These are what you'd typically call a mistake. A decision-based error occurs when we make the wrong judgment, but we believe that our call is the right action.

Example: A system administrator who is not fully versed in cybersecurity best practices might misconfigure a firewall, leaving the network vulnerable to attacks.

A decision-based error has two subtypes:

• Knowledge-based error: This means that the person does not have sufficient or correct knowledge to perform the right action.
• Rule-based error: When individuals follow the wrong set of rules or procedures, or apply the correct rules incorrectly.

Your training needs to keep up with social engineering techniques

Social engineering attacks can be pretty sophisticated.

Attackers will use human psychology and persuasion techniques to craft their campaigns to establish credibility and trust.

Modern cyber attacks rely on techniques like fear, trust and urgency.

This makes it easier to persuade employees to take action like giving away passwords, downloading malware, or making a bank transfer.

When employees are not conscious of social engineering techniques, attacks can easily slip through the net.

Implementing people-centered training that uses behavioral science is the single most effective means of reducing human risk.

This style of training will allow you to measure and put risk into context.

If employees are reporting threats, you know that they're actually learning.

And if employee behavior is improving, this likely means your organizational risk is being reduced as a result.

‍

Traditional cyber awareness doesn't change behavior

Employees represent the biggest attack surface for most organizations.

And the more employees you have, the bigger that risk is going to be.

Traditional compliance-based cyber awareness training doesn't go far enough to prevent security breaches.

69% of employees say they have knowingly bypassed their company’s cybersecurity guidance.

And 74% would be willing to do so if it helped them accomplish a business goal.

Infrequent training once a year with no follow-up practice doesn't actually prepare employees to deal with real-life cyber threats.

If you want to reduce cyber risks related to employees, you'll need to make sure your training changes the way employees behave...

This is how you ensure employees can spot and respond to threats.

When we talk about behavior change, we just mean modifying human behavior.

Behavior is a computed response to stimuli (whether internal or external, conscious or subconscious, overt or covert, voluntary or involuntary).

For Security Teams, the behaviors that need to be trained are:

• Employees must be able to identify threats.
• Employees must be able to report threats.

You can't change behavior overnight - it takes time and practice.

That’s why yearly (or even quarterly) cyber awareness training and phishing simulations just don't cut it.

The more often the user can learn about and get hands-on practice with security threats, the better they'll be able to catch them in the wild.

Social engineering attacks are always evolving in sophistication and increasingly targeting employees.

This is why building a strong human firewall matters.

Awareness alone won't provide any meaningful protection...

You need a people-first cybersecurity training approach that can positively impact people’s behavior (and therefore organizational risk).

The problem with awareness training is that (as the name suggests) it only focuses on awareness.

And awareness doesn't tend to have any measurably impact on people's cybersecurity skills.

Most of what people learn from training will be forgotten and no habits will be formed.

Awareness training uses policies and strict rules (the do’s and don’ts).

When you put too much emphasis on following rules, employees are likely to perceive cybersecurity as something negative - another annoying bit of compliance disrupting their day-to-day work.

Building habits can be a long process that takes continuous reinforcement.

This is where phishing simulations come into play.

Without practice and experience, employees aren't going to be able to detect attacks.

People need to be motivated to engage with practical exercises so that your training will result in behavior change.

‍

The science behind changing behavior

To successfully implement cyber awareness training that changes behavior, it’s essential to understand how people actually behave...

What motivates them? And how can you influence them?

Psychological influencing strategies integrated into awareness training will teach employees the right behavior online and diminishes high-risk behavior.

Training and persuasion techniques

Persuasion just means an attempt to change behavior without using coercion or deception.

The two main persuasion techniques for behavior change are:

• Influencing: using social and psychological techniques to persuade individuals to adopt desired behaviors
• Shaping: reinforcing incremental changes towards a desired behavior through rewards and feedback.

‍

What does it take to change someone's behavior?

The mechanisms used in successful training

Using influence as a persuasion strategy in your cyber awareness training can be tricky.

Even when the advice comes from an expert, people aren't very likely to follow the rules.

This doesn't necessarily mean influencing can't be used in training at all.

It just means you'll need to use positive emotions.

Most cybersecurity playbooks rely on fear as a primary influencing technique.

But since fear is a negative emotion, it's very likely to result in resistance, rather than any meaningful behavior change.

To successfully change people’s behavior, cyber awareness training needs influence.

So, when developing your behavior-changing approach or shopping around for vendors, you might want to consider these factors:

The messenger: Who communicates the information? Information is usually well received when it comes from an authority.

Incentives: What incentives are you offering employees? (These don't necessarily have to be physical rewards).

Norms: The general culture and environment of your organization will directly impact how the employees perceive training matters. If others around them are positive towards cybersecurity, an employee is more likely to follow suit.

Salience: Training works best when relevant to employees. Personalized and relevant content will boost engagement.

Affect: Emotions play a major role in how people act. When people feel positive about training, they're more likely to engage with the practices.

Commitment: Most people will try to be consistent with public promises. If an employee makes a commitment to cyber awareness training, they'll be more likely to follow through.

Ego: Us humans will generally act in ways that make us feel good about ourselves. This is why recognition and reward are such useful tools for effective training.

Personalization matters

Every employee will have a different level of cyber knowledge and skills.

Some will have done cyber awareness training in previous workplaces which will have molded their perceptions about security (for better or worse, depending on the quality of the training).

Personalizing training to individual employees isn't always easy.

But it is absolutely necessary if you want to see outcomes improve.

To influence people hone in on personal motivation and ability.

The first step towards forming new habits is overcoming negative feelings about cybersecurity and training.

A few things to consider when personalizing training:

Cyber knowledge

• Skill level
• Language
• Territory
• Department
• Role
• Co-workers

This will allow you to meet employees where they're at and tailor content to the tasks they carry out on a daily basis and the people they usually interact with.

The role of motivation

Motivation is born when people actually enjoy an activity.

If training leaves employees feeling satisfied, they'll attach positive feelings towards it.

Earning a reward or avoiding punishment can also help drive motivation.

Great training will motivate people to follow the rules they’ve learned.

But when the rules hinder their work, they may well go out of the window.

This is why its important to only incentivize the right behavior but also remove barriers of motivation.

These might include:

• Complicated rules
• Heavy reading materials
• Unengaging classes and e-learning
• Training that’s too difficult or too easy

Too many blockers are likely to result in “security fatigue”.

This is when people stop caring about security.

And when enthusiasm for security is low, this is how breaches occur.

‍

What is the 'shaping' technique? And how can it be applied to cyber awareness training?

Changing people's behavior doesn't necessarily mean you need to change how they think.

The shaping technique can impact the actions employees take in security training.

Shaping is a subtle way of creating a new habit...

It uses a series of small steps and actions to modify the learner’s behavior.

The goal is to give people the knowledge they need to perform a particular action by following specific processes.

To reduce your organization’s human risk, employees need continuous training and practice.

Engaging, personalized training will encourage employees to think critically about cyber threats.

And if your reporting process is straightforward, this can become second nature with enough practice.

Positive reinforcement is essential for behavior change

Positive reinforcement is a critical component of the shaping technique.

Simply put, you need to have a desirable stimulus once someone performs a behavior if you want them to repeat that behavior.

Shaping is best applied to training when employees receive recognition and feedback.

Positive reinforcement can include:

• Awards
• Rewards
• Scores
• Competition
• Leaderboard
• Recognition
• Feedback

Feedback is important when it comes to positive reinforcement.

Employees can learn from additional training moments following any phishing simulations you're running - what they did right? What where the clues?

They should then be more motivated to report a threat next time.

Positive reinforcement is such an effective long-term strategy because we find it easier to remember learnings when we associate them with positive feelings.

Negativity and punishment doesn't work

When you're managing something that can have catastrophic consequences if mismanaged like cybersecurity, completely removing negativity may seem like a tough thing to do.

However, you should not punish employees for the wrong behavior.

Sticking to positive reinforcement is far more effective for improving security culture and employee cooperation.

Punishment (very) rarely ever helps change behavior.

Instead, employees will be defensive, secretive, or uncooperative.

To be able to see what kind of threats are coming in, you need people to actually come forward and report them.

And if employees fear criticism, nothing will be reported.

Employees need to know that it’s safe to come forward when they’ve made an error.

‍

How to create behavior change with cyber awareness training

By now we're hoping you have a good idea of the theory behind changing employee behavior.

So, now we''l look at how you can reshape your cyber awareness training to create habits.

First off, it's worth noting that behavior change can work for any company.

If you already have cyber awareness and compliance-based training in place, you'll need to go a step further.

To change behavior and reduce risk, continuous practical training is needed.

If you don’t yet have any sort of training currently, the Hoxhunt method below is easy to pick up and run with...

And you'll start to see outcomes improve almost immediately.

Hoxhunt's recipe for effective cyber awareness training

Effective communication

Getting employees on side is a necessary step towards successfully changing behavior.

People need to actually understand why their support and participation is so important.

Use practical training and simulations

Practice makes perfect.

Without consistent practice, employees won’t have the skills of confidence to spot and report real cyber breaches that manage to slip through your email filters.

This is why using phishing simulations is so crucial.

By mimicking real threats in a controlled environment, you can prepare employees for facing the real thing.

Here at Hoxhunt, we believe that the only way to foster secure behavior is by learning by doing it.

So make sure you're running some form of simulations to give employees hand-on experience catching them.

Make sure training is continuous with frequent practice

A few simulations a year are unlikely to make any real difference.

Most people don't retain much from the occasional training session.

Infrequent tests certainly won’t shape the adoption of the right cybersecurity habit of staying alert and reporting anything suspicious.

So if you're running simulations, make sure they're being sent out frequently.

Building habits through shaping takes time.

Which is why at Hoxhunt, we aim to send users at least 36 simulations a year.

That’s one every ten days.

Reinforce positive behavior

Positive reinforcement will have a measurable impact on people’s emotions and motivation towards training.

Implementing this into your training doesn't need to be difficult.

These small steps will make a big difference:

• Recognition (gamification like collecting stars, points, and showing leaderboards)
• Feedback
• Micro-learning mechanisms

Note: Hoxhunt fuses all these positive reinforcement tools into training to keep employees engaged and coming back for more.

Keep your attack simulations updated

New types of attacks are always emerging.

Some current cybersecurity threats are well-crafted and hard to spot - preying on people’s emotions.

Regularly updating your attack simulations will ensure that employees get a feel for the latest threats.

Personalize content

If you want to get employees to care about training, you'll need to make sure its personalized and relevant.

The primary factors to consider are employees' specific skills and knowledge.

The next layer of personalization would then be language, geography, culture, department, role in the organization, time spent in the organization, or even teams, collaborators, and tools used.

The more of these you can take into account when sending out simulations and training, the more engaging and realistic they'll be.

Integrate training into employees' workflows

Where most cyber awareness training solutions go wrong is by interrupting employees' regular work.

If security measures interfere with their workflow, they're unlikely to cooperate and learn.

Training doesn't have to be like this though...

Incorporating security into daily tasks is more productive than pulling people away from them.

When employees check their emails, they might spot a simulation.

This takes just a few seconds out of their day and is exactly how a breach would occur in real life.

Simplify your reporting process

Your reporting process should be as easy and effortless as you can possibly make it.

Teaching employees how to spot threats is one thing...

But even when people know they should report a threat, if the process is complicated they're highly unlikely to do so.

With Hoxhunt, people can use our reporting plugin for reporting simulations and actual phishing emails. (It’s just a click of a button and only takes a few seconds).

Measuring success: what should you track?

If your training is focussed on behavior change, then reporting rate is going to be your key metric.

This will tell you how many people engaged with training.

Your overall goal should be to engage as much of your organization as you can so that you can be confident they're developing the skills through recognizing and reporting simulations.

Keep an eye on:

• Average simulation reporting rate per employee: Make sure your training is reaching all employees not just those who fail simulations. At Hoxhunt, we advise our clients to aim for at least an average 70% reporting rate.
• Real threat reporting rate: The whole purpose of training is to help employees identify real-world phishing attacks. This'll also give you more data on what real threats are coming your way.
• Dwell time: This is the period between a threat entering your network and it being reported. Most platforms don't track this metric, but if you find a solution that does (like Hoxhunt) its worth keeping tabs on to give you an idea of how much damage an attack could actually do.

While failure rates might tell you something about people’s learning, its not the best metric for gauging your success.

A low failure rate doesn't necessarily mean your training is working.

Your failure rate might depend on things like the difficulty level of simulations, the variety of the content, individual points of view, timing and frequency.

‍

How we evolved from awareness to real behavior change at Hoxhunt

At Hoxhunt, we’ve moved away from traditional security awareness training.

Instead, we focus on reducing human risk through behavior change.

If the end goal is to protect your organization from cyber security threats, why waste time and budget on inefficient awareness and compliance strategies?

After a year of using Hoxhunt, 60% of users actively report real and simulated threats.

The fastest 10% of them report a threat in 55 seconds. (Hoxhunt internal data, 2023)

The faster you respond, the smaller the risk (and the price tag).

Globally, our users report a threat on average every 90 seconds.

We use this data to everyone’s benefit by sharing insight, threat reports, and even concrete examples of malicious emails.

The important thing is people are actively reporting threats, not just ignoring them.

Or even worse, interacting with them, despite knowing better.

Focussing on the metrics that matter

Don’t just take our word for it.

The AES Corporation recently compared Hoxhunt to three major security awareness tools - the numbers speak for themselves.

The company saw a 526% increase in reporting rate, a 79% decrease in failure rate, and a 58% decrease in miss rate.

We see you, users who ignore phishing training!

All of this combined made them 2533% more resilient as a company.

Last year, Finland’s biggest telecom company Elisa ran a benchmark study showing that employees who had undergone Hoxhunt training were 20 times less likely to click malicious links.

We believe that real, measurable behavior change is the key to cybersecurity and human risk management.

Industry analysts agree, with Gartner stating: “By 2030, all widely adopted cybersecurity control frameworks will focus on measurable behavior change rather than compliance-based training as the critical measure of efficacy for human risk management.”

‍

Can you run effective cyber awareness training manually? And should you?

Behavior changing training should be in the toolbox of every forward-thinking CISO.

This is the only reliable, concrete way to truly lower human risk.

Frequent practical training gives people tangible skills to defend your organization.

Is it difficult to adapt this methodology for behavior change?

Full transparency: doing it manually is possible – but not recommended (especially if you have thousands of employees.)

Changing behavior through training is both labor and time intensive if done manually.

Want to keep updated with the latest attacks and build personalized learning paths for each employee?

Then you'll need to automate this process.

This is where security tools like Hoxhunt come in.

Forget awareness posters, videos, or quizzes...

Hoxhunt was purpose-built to maximize results with minimal effort 👇

Personalize phishing simulations at scale: Hoxhunt’s AI engine generates a unique profile for every user and automatically delivers the most relevant phishing simulations based on skill, language, department, and more.

Multi-channel engagement: Enhance your security awareness with intuitive training that integrates directly into employees’ daily tools. Activate Hoxhunt with a single click on platforms like Microsoft Office, Google Workspace, Slack, and Microsoft Teams.

Powerful dashboards to track your progress: Get real-time visibility into your program performance with modern dashboards comprising next-level metrics. Set your priorities with data-driven decisions and report to leadership with ease and confidence.