Making it stick: How to get the most out of cybersecurity training

Let me start with an attempt at a story:

Sarah’s eyes darted across the email subject line, which read: “URGENT: Payment Needed – Action Required”. It was 4 p.m. on a Friday, and the CEO’s name glared from the sender field. The message was specific and to the point:

"Hi Sarah, we need to make this payment before close of business today, otherwise we'll incur extra legal cost. See the payment info attached. This has to do with Project Phoenix and the merger I spoke about in the earnings call last week. I'm in back-to-back meetings with legal and others, so I've no time to explain more. Please handle it ASAP though.

Sarah’s stomach knotted with anxiety and her pulse quickened in panic. For a fleeting moment, she actually felt like she’d seen a similar message before, probably in last year’s cybersecurity awareness training. But by now that training was a blur of lifeless PowerPoint slides, forgettable screenshots and mind-numbing multiple-choice questions replete with obscure terms and concepts.

Besides, Project Phoenix was real, as was the merger. The tone wasn’t too distinct from the terse directives in recent internal memos. To top it off, “who am I to question or second-guess the CEO’s instructions, anyway?,” she thought. Under pressure and vulnerable to authority cues, Sarah shrugged off her unease, did as she was told, and dutifully wired the money.

By Monday, reality caught up: some US$200,000 vanished into an offshore account controlled by fraudsters. The email? Spoofed and pieced together from information vacuumed from press releases and LinkedIn posts. In this day and age, this is by no means prohibitively difficult for any scammer worth their salt. In the end, human psychology trumped security policy.

While this cautionary tale is fictional, it does depict a scenario that commonly plays out with the recurring nightmare that is Business Email Compromise (BEC) fraud. These schemes don’t rely on technical wizardry; instead, they prey on some of what makes us human, ultimately paying enormous dividends for scam artists. By the FBI’s tally, between 2013 and 2023, BEC fraud cost organizations around the globe US$55.5 billion.

Let the figure sink in.

Ripping off the band aid

The story above exposes a major problem: even the most diligent employees are prone to forgetting what they “learned” in cybersecurity training. Dry PowerPoints, mandatory quizzes and compliance checklists are often forgettable and tedious. Many such awareness programs deliver only so-so results while failing to address the root issue: behavior. Employees endure them to get it over with, retaining little and putting into actual practice even less.

This is disconcerting because the question isn’t if employees will face an attack – it’s whether they’ll be prepared when the pressure mounts. And many clearly aren’t, as shown, for example, by Verizon’s latest Data Breach Investigations Report (DBIR), which says that more than two-thirds of data breaches involve human error. Someone obliged. Someone clicked. Someone made a mistake. Someone like Sarah.

Imagine fire drills where employees sit through a lecture on combustion theory instead of evacuating a building. When a real emergency strikes, they might burn to death, clutching their certificates of completion. So why would you “train” people to survive cyberattacks with abstract policies, rather than engaging and simulated experience? Why subject your employees to mundane training that is likely to fail the moment pressure hits?

The antidote

No, it's not that our brains are lazy – they’re actually pretty efficient. Every day, each of us processes hundreds of messages, clicking, sharing, and responding with minimal friction. Amid the deluge of information, we've become conditioned to make split-second decisions that often prioritize speed over anything else, including security.

But rather than sending louder warnings or rehashing the same old quizzes, the solution requires "hacking" brains. To be more exact, it involves using techniques that can help rewire decision-making pathways and train us to suspend our habitual reactions – or even bake new habits into some of our behaviors. Our brains are prone to discarding dry facts in order to conserve energy, but they will happily cling to emotionally-charged, participatory experiences.

This is where realistic simulations and well-thought-out gamification can help, borrowing elements from video games that naturally engage the brain. In fact, whether it’s your fitness app turning workouts into status games or social media apps feeding our craving for validation with endorsements, many of your everyday apps already involve some of the principles underpinning gamification. Game mechanics are also being used with great success in capture the flag competitions that countless IT professionals eagerly join each year.

Wired for stories

One key way of upping your organization’s security game (no pun intended) involves leveraging the power of storytelling. Stories are far more than a way to pass the time – they’ve always helped us make sense of the world and even share survival strategies. They light up the brain’s pleasure and emotional regions, ultimately changing attitudes and behaviors.

So it only makes sense that the power of this survival tool is increasingly being harnessed for survival in today’s digital jungle, especially through gamification. When security challenges are woven into a gripping storyline that presents threats as characters, security measures as tools and employees as heroes, memory formation and recall can increase significantly.

Meanwhile, realistic phishing simulations provide hands-on learning and help build muscle memory. They don't just teach – they test and reinforce the right behaviors in context and in a safe environment. Scenario-based learning and realistic simulations place employees in situations that mirror actual threats and breathe life into security concepts, helping create emotional memory anchors that persist long after the training ends. The proliferation of schemes involving deepfakes and other AI-aided ploys only raises the urgency further – just consider this case from just weeks ago where a finance professional paid out US$25 million after a video call with deepfake versions of senior staff members.

From checkbox to checkmate

So, imagine that Sarah, faced with that urgent email, doesn’t panic; instead, she pauses. She recognizes the red flags, because she has encountered similar scenarios in her engaging security training. She’s built the muscle memory to stop, think, and verify before taking action. In the end, instead of wiring funds to a cybercriminal, she alerts the security team to a sophisticated attack attempt, turning a potentially embarrassing mishap (followed by unfavorable media coverage of a successful cyber-incident) into a powerful learning moment for herself and the rest of the company.

The end goal isn’t only compliance – it’s to make security behaviors stick and, indeed, to make them almost as instinctive as flinching from fire.