Skip to content Cyber Training Still Fails Miserably
The industry has been running cybersecurity awareness training for over 20 years. Companies have spent billions on phishing simulations, mandatory videos, and compliance quizzes. Yet, nearly 30% of companies still use 8-character passwords, and human error remains responsible for over 74% of all breaches. The hard truth is that the current training model is broken. It treats security as a "knowledge problem" (assuming if employees know, they will do) when it is actually a "behavior problem" (they know, but the friction is too high).
Most organizations design training to satisfy auditors, not to change habits.
The “Check-the-Box” Failure: Employees often view security training as a penalty or a chore, clicking “Next” as fast as possible just to clear notifications.
The “Gotcha” Culture: Phishing simulations frequently trick employees rather than teaching them. This creates resentment instead of resilience.
The Reality Gap: Policies often demand complex passwords that expire every 90 days (which NIST now advises against) while ignoring simple tools like Passkeys or Password Managers that actually solve the problem.
To actually reduce risk, organizations need to stop "training" and start "designing."
Stop forcing users to memorize complex strings.
The Fix: Mandate Password Managers and move to Passkeys or MFA (Multi-Factor Authentication).
Why: A human cannot out-memorize a computer. The burden should be removed entirely.
Stop using fear. Start using relevance.
The Fix: Shift from annual 60-minute lectures to micro-learning (30-second tips) that happens in the moment.
Example: If a user tries to email a sensitive file, a pop-up should nudge them: “This looks like financial data. Do you want to encrypt it?”
The focus is often too heavily on “don’t click.” But people will click.
The Fix: Celebration when someone reports a suspicious email—even if it turns out to be safe.
Why: Employees need to be a “sensor network.” If they are afraid of being wrong, they will stay silent when a real breach happens.
You cannot patch a human being. As long as security creates friction, people will find a workaround. The goal of modern security training isn't to make employees expert cryptographers. It is to build a culture where security is easy by default and hard to ignore.
Article: Same Old Security Problems: Cyber Training Still Fails Miserably
Publisher: Dark Reading / Cybersecurity Dive
Educate. Empower. Elevate.
We equip young people with the skills, resources, and opportunities they need to launch careers
