September 15, 2025
Why “we already have that data” is bullsh*t
CybSafe’s CEO and founder Oz Alashe unpacks why your colleagues keep missing the point on behavioral risk – and what to do about it
Creative, funny, and wildly engaging security awareness training doesn’t lead to lasting behavior change. What it does is make people say, “I really enjoyed your training and videos.”
It’s time to put an end to the ‘trick, train, and entertain’ mentality.
If there is no change in security behaviors, there is no reduction in organizational risk. Simple.
And before you point to your phishing simulation click rates and report rates as ‘evidence’ of behavior change, know this:
Done badly, phishing sims do more harm than they do good.
Be honest with yourself, they only focus on a very narrow set of behaviors, and other important behaviors are ignored—leaving you exposed.
They don’t address the full range of security behaviors you need to address to reduce the risk of a successful phishing incident.
They don’t tell you why people do or don’t click.
Side note: we have so much to say about phishing simulations that we wrote the (e)book on it.
So, what’s the alternative to ‘trick, train, entertain’? Nothing worse than people going off on something without offering up better suggestions.
So, we’re giving you ten.
This isn’t enough to genuinely and demonstrably reduce your risk. And you do want to reduce risk in a way you can prove, don’t you?
Train your people, yes. But recognise it for what it is—a compliance requirement, and something that helps raise awareness. Stop pretending it’s making a big difference to your people’s security behaviors. It isn’t.
Engagement without changes in security behavior is meaningless. That’s it.
Be specific about the security behaviors you want to influence, and why. Focus on addressing those specific behaviors. Stay focused. It’ll help you determine whether you’re making any impact.
Set objectives that are linked to risk related outcomes. So instead of, "I want X number of people to have completed the training." Try, "I want to reduce the instances of account compromise." This will help you support people in the best ways for your organization.
Be clear about the scientific evidence behind the behaviors you choose and the interventions you apply. Recognise that, unless you’re a scientist, your survey questions probably aren’t scientific and may be skewing your data.
Start measuring the impact you’re having on specific security behaviors. Of course, it isn’t easy, but that doesn’t mean you shouldn’t do it.
Your people don’t need (or want) more training. They need and want help. ‘Trick, train, and entertain’ them. Or help them. You decide. Provide information that’s relevant to them. Make better use of apps and mobile technology like CybSafe. It works. Personalize the help they get. Nudge them in the right—and most effective—way.
Stop trying to catch people out. And recognise that your click rates and report rates are only a very limited measure of anything useful. ‘Clicking’ and ‘reporting’ are just two of many security behaviors you should be trying to impact within your organization.
Most people don’t care about cybersecurity. Never forget that. And, the truth is, they might never get care—at least not to the extent that we’d like. That doesn’t mean all is lost. It just means we shouldn’t just rely on things like engagement, event attendance, and knowledge.
You’re going to need to dig deeper if you want to influence long-term security behaviors. Where to start? Start with this.
