Skip to content

Why Security Awareness Training Failed and What's Next

Security awareness training isn't stopping breaches. Learn why human behavior matters and what security teams should do next. (Includes infographic)

For years, cybersecurity has responded to human-related security incidents with the same prescription: more training.

An employee clicks a phishing link? More awareness training. Someone mishandles sensitive data? More awareness training. Password hygiene problems? Annual training and a few reminder emails should do the trick.

The approach has become so deeply embedded in cybersecurity culture that many organizations barely question it anymore. Yet despite decades of awareness programs, phishing simulations, compliance modules, and policy attestations, human-related security incidents remain stubbornly common.

In a recent episode of CYBR.Minded, host Dr. Dustin Sachs sat down with Dr. Calvin Nobles, Portfolio Vice President and Dean of the School of Cybersecurity and Information Technology at the University of Maryland Global Campus, to discuss a difficult reality: awareness training isn't necessarily failing because it's bad. It's failing because it was never designed to solve the entire problem.

Catch the full episode:

The Human Factor with Dr. Calvin Nobles
Dr. Dustin Sachs sits down with Dr. Calvin Nobles to explore why security awareness alone is insufficient when it comes to changing human behavior.

The Awareness Illusion

One of Nobles' most memorable observations is what he calls the "mayonnaise on a sandwich" problem.

Organizations often deliver security awareness training the same way to every employee, assuming that everyone learns, processes information, and retains knowledge similarly. In reality, people absorb information differently. Some learn visually. Others learn through repetition. Some prefer hands-on experiences, while others benefit from reading and reflection.

Yet cybersecurity awareness programs frequently take a one-size-fits-all approach.

The larger issue, however, isn't simply how training is delivered. It's the assumption that knowledge automatically creates secure behavior.

Nobles pointed to research showing that learning retention declines significantly when knowledge is not reinforced. Many organizations conduct annual awareness training and expect employees to remember what they learned for the next 12 months. Human beings simply don't work that way. Knowledge fades. Context changes. Priorities shift. Workloads increase. The lesson that seemed obvious during a training session often disappears when an employee is juggling deadlines, responding to customers, and managing dozens of competing tasks.

That's why awareness metrics can be deceptive. Training completion rates, phishing click percentages, and policy acknowledgements may demonstrate participation, but they don't necessarily demonstrate reduced risk. Organizations often end up measuring activity instead of outcomes.

Why People Don't Do What They Know

The conversation's central argument is that cybersecurity has spent too much time treating security behavior as a knowledge problem and not enough time treating it as a human performance problem.

People rarely make security decisions in ideal conditions.

They make them while dealing with cognitive overload, fatigue, stress, time pressure, confusing interfaces, unclear incentives, and workplace distractions. Under those circumstances, even well-trained employees can make poor decisions.

More CYBR.Minded:

Your Biggest Security Risk? Mentally Exhausted Humans
From our first episode of CYBR.Minded: Security teams are drowning in alerts, responsibility and impossible expectations. Until recently, the industry treated it as a personal problem instead of a systemic one.
The Human Side of Cybersecurity With Bill Brenner
Why mental health, overload, alert fatigue, and human resilience are cybersecurity issues.

Nobles argues that cybersecurity needs to embrace human factors engineering—the discipline of designing systems, technologies, and processes that account for human limitations and weaknesses. Instead of asking why an employee failed, organizations should ask what conditions made failure more likely.

That distinction matters.

A confusing authentication process, an overly complex security policy, or a cumbersome workflow can create friction that pushes employees toward risky behavior. Over time, those frustrations contribute to security fatigue, burnout, and disengagement.

Nobles also highlighted another uncomfortable truth: most cybersecurity teams lack professionals trained in behavioral science, cognitive psychology, neuroscience, or human factors engineering. Organizations routinely employ experts in networking, cloud security, software development, and threat detection, yet rarely include specialists who understand how people interact with the environments security teams create.

As a result, cybersecurity often defaults to blaming users rather than examining the systems those users are expected to navigate every day.

What Security Leaders Should Do Instead

If awareness training is only part of the solution, what comes next?

According to Nobles, security leaders need to broaden what they measure and how they think about risk.

Rather than focusing exclusively on phishing simulation results and training completion percentages, organizations should begin examining workflow complexity, usability challenges, employee stress levels, policy comprehension, and operational friction. They should actively seek input from employees across different departments, age groups, technical skill levels, and job functions before rolling out new technologies or processes.

One example discussed during the podcast involved employees who begin work as much as 90 minutes early because they fear login problems will prevent them from starting their day on time. While that behavior may appear responsible on the surface, it reveals a deeper design flaw: employees are experiencing anxiety before the workday even begins because they lack confidence in the systems they're required to use.

Nobles' ultimate message is both simple and challenging. Cybersecurity has spent years trying to train people into being more secure. The next phase of the industry's evolution will require designing environments where secure behavior becomes the easiest, most practical, and most sustainable option.

More technology alone won't get organizations there.

Understanding people might.

The organizations that recognize that distinction first may ultimately gain the biggest security advantage of all.

Latest