THIS IS AN OPINION
We'd also like to hear yours.
Tweet us @ArkBusiness or email us
Whether it’s discovering how to code or playing the guitar, we have all been guilty of trying to pick up a new hobby without fully committing.
We invest in the needed supplies and begin watching video tutorials. We might even complete an online course. But we never actually practice. So, when we open our laptops or start plucking strings, we quickly hit a roadblock. Why didn’t our virtual training pay off? Because we simply went through the motions, checking the box. Without real, consistent engagement, we can’t truly master new skills — or gain the confidence needed to execute them.
Experts suggest it takes 20 hours to learn a new skill. But it’s more than the time logged. According to Forbes, becoming functionally competent at something requires deliberate practice.
The same concept applies to security awareness training. The purpose of these programs is to equip and empower employees to serve as a “human firewall,” capable of recognizing and responding to potential threats.
Unfortunately, if not delivered appropriately, organizations’ educational sessions often fail to translate into user behavior. Recent research by the University of California, San Diego found that businesses’ training “as implemented today” (i.e., rote, mandatory annual programs) is “unlikely to offer significant practical value” in reducing organizational risk.
Hence the need for more effective security awareness training. The first step to ensuring a return on investment from these sessions is for companies to assess and understand their own unique risk landscape. This insight will allow them to tailor their training to their potential vulnerabilities, needs and goals. With relevant, real-world examples, organizations can better engage workers and teach them to practice smart cyber hygiene.
Equally crucial to the process is for businesses to explain the value of security awareness training. Following the sessions, team members should be able to answer the question, “Why does this matter to me?” As the peer-reviewed journal Computer stresses, “People will be more apt to thoughtfully make security decisions when they have a sense of personal responsibility and view security as relevant” to their daily responsibilities. Whether guided by an internal team member or an experienced cybersecurity professional, providing engaging content that resonates with employees is essential to building buy-in and fostering a stronger security culture.
According to the FBI, phishing and spoofing scams remain the leading contributors to cybercrime. And human error is by far the biggest reason that individuals fall prey. As we wrap up 2025, some organizations might pat themselves on the back for achieving a 100% employee completion rate for their annual cybersecurity training. But a perfect score doesn’t mean workers will be adequately prepared for phishing emails or prevent them from clicking on nefarious links. The true measure of success is a positive change in users’ behavior toward more proactive risk reduction. By providing tailored, engaging security awareness training year-round, companies can give themselves the best gift of all — greater cyber resilience.
Sign up for Daily E-news
