How to Build a Security Awareness Programme

That Actually Changes Behaviour

The annual security awareness training video takes seven minutes. It covers phishing, password hygiene, and physical security. At the end, there is a three-question quiz. Ninety-two per cent of employees pass it. Six weeks later, the same employees click a phishing simulation email at the same rate they did before the training. 

This is not a failure of employee engagement. It is a failure of programme design. Behavioural change does not come from information transfer. It comes from repeated exposure, immediate feedback, emotional salience, and relevance to the individual's actual work context. None of these things appear in a seven-minute annual video. 

This guide is for the security manager who has been given a budget and the responsibility to build a programme that actually works. Not compliant. Actually effective.

The measure of a security awareness programme is not completion rate. It is behaviour change rate. An organisation where ninety-five per cent of employees completed the training and phishing click rates are unchanged has spent money on compliance. An organisation where sixty per cent completed the training and phishing click rates have halved has built a programme. 

Why Most Programmes Fail 

Understanding what does not work is as important as understanding what does. These are the patterns that consistently produce high completion rates and no measurable behaviour change. 

(1) Annual cadence 

The human brain does not retain information that it is not repeatedly reminded of and required to use. A single annual training event covers content that employees will not encounter again for twelve months. By month two, the specific information is largely inaccessible. By month twelve, it might as well not have happened. Security awareness is not a topic you teach once. It is a habit you build through repeated, spaced reinforcement. 

(2) Generic content 

A phishing example that shows a Nigerian prince scam is not relevant to a financial analyst who handles wire transfer requests daily. A physical security module that discusses tailgating into a server room is not relevant to a fully remote workforce. When training content is not connected to the employee's actual work context and actual risk exposure, the brain correctly categorises it as not relevant and does not retain it. 

(3) Passive consumption 

Watching a video produces awareness of information. Awareness of information does not produce changed behaviour. The research on behaviour change is consistent: people change behaviour when they practise the new behaviour, receive immediate feedback on whether they did it correctly, and experience the consequence of the behaviour in a low-stakes environment before they encounter it in a real one. Phishing simulations work because they are active, not passive. More of the programme should work the same way. 

(4) Treating all employees as the same 

The CFO's risk profile is different from the warehouse manager's risk profile. The developer who commits code is exposed to different attack vectors than the customer service representative who handles payment queries. A security awareness programme that delivers the same content to every employee is optimising for compliance, not for risk reduction. 

The programme that treats completion as success has confused the activity with the outcome. The activity is training. The outcome is reduced risk. These are not the same thing and proxy metrics for one do not represent the other. 

What a Programme That Works Looks Like 

Effective security awareness programmes share five structural characteristics that distinguish them from compliance exercises.

(1) Continuous, Not Annual 

WHAT: Twelve monthly touchpoints of five to eight minutes each, rather than one annual session of sixty minutes. Each touchpoint covers a single topic in the specific context of the target audience. The total learning time is the same. The retention and behaviour change are substantially higher because of spaced repetition and topic specificity. 

MEASURE: Monthly completion rate (target: 85%+). Topic engagement time vs completion time ratio. Phishing simulation click rate trend month-on-month.

(2) Role-Based, Not One-Size 

WHAT: Content pathways segmented by risk profile, not by department. Finance staff: BEC, invoice fraud, wire transfer verification. Developers: secure coding, secrets management, dependency security. Executives: spear phishing, vishing, social engineering of senior leadership. Everyone: phishing, password hygiene, physical security basics. 

MEASURE: Click rate segmented by role group. Reporting rate segmented by role group (who actually reports suspicious activity). Incident involvement rate by role group.

(3) Simulation-Led, Not Lecture-Led 

WHAT: Phishing simulations are the most effective single tool in security awareness because they are active rather than passive, they deliver immediate feedback at the moment of behaviour, and they are repeatable. The most effective programmes run phishing simulations monthly, vary the sophistication level, and provide immediate teaching moments when employees click rather than shame or punishment. 

MEASURE: Phishing simulation click rate over 12 months. Report rate (did employees use the "report phishing" button?). Repeat click rate (did people who clicked once click again after the teaching moment?). 

(4) Immediate Feedback, Not Deferred Consequence 

WHAT: When an employee clicks a phishing simulation, the teaching moment is in that instant. Not at the next annual training. Not in a report to their manager. In the moment of the click, a brief, non-punishing, specific explanation of what made this email a phishing attempt. Employees who receive immediate contextual feedback at the moment of the behaviour change faster than those who receive deferred feedback. 

MEASURE: Time between simulation click and feedback delivery. Repeat click rate for employees who received immediate vs deferred feedback. Self-reported confidence in identifying phishing after immediate feedback. 

(5) Measured Against Risk, Not Completion 

WHAT: The programme's success metrics should be risk metrics, not activity metrics. Phishing click rate is a risk metric. Incident reporting rate is a risk metric. The number of security incidents attributed to human error is a risk metric. Completion rate, quiz pass rate, and training hours are activity metrics. The board should receive risk metrics. The security team should track activity metrics only as leading indicators of the risk metrics they actually care about. 

MEASURE: Phishing simulation click rate (target: below 5% after 12 months). Phishing report rate (target: above 25% after 12 months). Human-error-attributed incidents as a proportion of total incidents. Mean time to report a suspicious event. 

The Tools That Accelerate Results 

(1) Phishing simulation platforms 

KnowBe4, Proofpoint Security Awareness Training, Cofense, and Hoxhunt are the leading platforms. All provide simulation capabilities, content libraries, reporting dashboards, and metrics tracking. The platform matters less than the programme design: a well-designed programme on a basic platform outperforms a poorly designed programme on the best platform. 

(2) Learning management systems 

Most organisations already have an LMS. The question is not which platform to use but how to deploy role-based content pathways within it. Short modules (five to eight minutes), mandatory monthly completion, and mobile-accessible content are the design constraints that produce completion rates worth measuring. 

(3) Security champions networks 

A security champion is an employee in a non-security role who is trained to act as a local security resource for their team. Not a technical expert. A trusted peer who can answer "should I report this?" and who reinforces security messages in the normal flow of work conversation. Champion networks consistently amplify the effect of formal training programmes at minimal additional cost.

The most effective security awareness budget allocation is typically: 40% on simulation platform and content, 30% on measuring and reporting, 20% on champion network development, 10% on executive communications. The organisations that invert this, spending most on content and least on measurement, consistently cannot demonstrate programme effectiveness.