Most organizations have a security awareness programme. Most security awareness programmes do not change behaviour. The two statements are not in tension — they describe the same problem from two angles. The reason awareness programmes fail to move the behavioural needle has little to do with content quality and a great deal to do with how programmes are designed.
This piece is a short, practitioner-grade view on what actually works — based on what we see in the engagements we run, the investigations we conduct after incidents, and the discussions we have with risk leaders across the region.
Awareness is necessary but not sufficient
The standard model — annual e-learning module, phishing simulation, posters in the kitchen — delivers awareness. Awareness is necessary. It is also nowhere near sufficient. The gap between people knowing the right thing to do and people doing the right thing under pressure is the gap that incidents exploit. Closing that gap is what behavioural programmes are for.
The shift from awareness to behaviour is mostly a shift in design. It moves the centre of gravity of the programme from information delivery to applied practice — and from a calendar-driven event to a continuous operating discipline.
Four shifts that matter
Role-specific over generic. A finance manager and a warehouse supervisor face fundamentally different threat patterns. The questions they need to be able to answer instantly are different. The triggers they need to recognise are different. Programmes that segment training to role-based threat profiles consistently outperform generic programmes — by a wide margin.
Practice over content. People learn behaviours through repetition under pressure, not through information delivery. Programmes that build in regular, scenario-based practice — short, focused, low-friction — produce behaviour that holds up. Programmes that rely on one annual module produce attitudes that may or may not survive contact with a real incident.
Reinforcement over events. The single most consistent finding in adult learning is that behaviour change requires reinforcement over time. Quarterly reinforcement cycles built around realistic scenarios outperform any single intervention, however well-designed. Calendars and budget cycles often work against this discipline. Programme designers should plan for it deliberately.
Measurement over completion. If your programme metric is the percentage of staff who completed the module, you are measuring the wrong thing. The right metric is what proportion of staff who encounter a realistic scenario behave appropriately. Phishing simulations are the most familiar example, but the same principle applies across the behavioural surface — visitor handling, social engineering, document control, mobile-device hygiene.
The question is not whether your people know what to do. It is whether they do what they know under operational pressure.
Where the human and the technical meet
Most security incidents we investigate involve both a technical and a human dimension. The technical dimension usually gets the attention because it is more easily addressed with budget. The human dimension is harder, more uncomfortable, and arguably more important. Behavioural programmes are how organizations meaningfully reduce the surface area exposed by the people who keep the business running.
The good news is that the upgrades are not particularly expensive. They are mostly about programme design, sustained executive attention, and the discipline of measurement. The investment that returns the most is the one that converts an annual compliance event into a continuous operational discipline.
A practical first step
For organizations ready to move beyond compliance-grade awareness, a useful first step is a structured behavioural baseline — a measurement of how your workforce actually behaves across a defined set of scenarios. The baseline tells you what to focus on, what is already working, and where the return on investment will be greatest. It also gives you a number to improve against.
Done well, that single piece of work changes the conversation from "we have a programme" to "we are measurably improving behaviour against the threats that actually matter." That is the conversation worth having.
