The Problem with Awareness Training Best Practices - and How We Can Fix It

The security awareness training industry follows a problematic pattern of repeating ineffective approaches rather than investigating root causes and implementing meaningful solutions.

Missing the Target

Most organizations follow vendor recommendations and industry best practices for security awareness training, assuming these approaches are evidence-based. However, research suggests that conventional practices may actually be counterproductive rather than beneficial.

Where is Your Evidence?

Security awareness training vendors frequently cannot substantiate their recommendations with credible research data. This gap exists not because individual representatives lack knowledge, but because the organizations themselves haven’t invested in rigorous validation of their methodologies.

A Research Project

From 2020 onwards, a research initiative tested whether tailored training outperformed industry-standard approaches. The study involved a 5,000-person organization divided into two groups: one receiving customized training designed for specific roles, communication styles, and organizational culture, and a control group receiving conventional industry best practices.

The Shocking Result

The targeted training group demonstrated dramatic improvements in security behaviors and attitudes. Unexpectedly, the control group exhibited significant decline in security effectiveness — a result that challenged initial assumptions about awareness training’s neutral impact.

Key Findings

The one-size-fits-all methodology proves ineffective at best and actively harmful at worst. Organizations should instead analyze actual employee needs, work environments, tools, and perspectives. Each role and individual requires customized approaches rather than standardized programs.

Where to Start

Organizations should establish measurable baselines using consistent metrics, enabling meaningful comparison of progress over time.