For many organisations, security awareness training has become a routine part of doing the right thing. It’s rolled out once a year, completed with minimal friction, and filed away as evidence of good practice. But as cyber threats have evolved, the gap between what this training promises and what it actually delivers has widened. The question is whether awareness alone stands up in the moments that matter most.
Awareness assumes time, distance and rational thought
Awareness implies understanding. It suggests that if people know enough about cyber threats, they will make better decisions when the moment comes. The model assumes that there’s time to think, emotional distance, and a calm environment in which rational judgement can prevail. Unfortunately, that is not how modern cyber attacks work.
Today’s attacks are designed to bypass reflection entirely. They rely on urgency,familiarity, authority and fatigue. The goal is not to convince the target through logic, but to trigger an automatic response before doubt has time to surface. In that context, asking whether someone is aware of phishing techniques feels a little like asking whether they understand road safety while pushing them into traffic.
Modern cyber attacks are not designed to test knowledge. They are designed to trigger action.
From awareness to behaviour
What organisations should be trying to do is something quite different. They should be trying to shape behaviour. Not through fear, not through lectures, but through repetition and reinforcement. The aim is to make the safe response the natural one, even under pressure. When faced with a suspicious email, an unexpected attachment or an unusual request, the correct reaction should feel almost instinctive: pause, verify, report.
- Pause before acting on unexpected requests
- Verify the sender or request through a second channel
- Report anything suspicious, even if you are unsure
Not because the person consciously recalls a training slide, but because the behaviour itself has been practised enough to feel familiar.
This is not a new idea. We already accept it in other domains. Fire drills are not about educating people on the chemistry of combustion. They exist so that when the alarm sounds, people move without debate. Seat belts are worn not because drivers reassess risk on every journey, but because the action has become automatic. In each case, repetition builds a kind a conditioned response that holds even when stress is high.
In practice, many successful cyber incidents, from fraudulent payment requests to MFA fatigue attacks, rely on people responding automatically, not thoughtfully.Rather than being treated as the weakest link, employees become a core component of an organisation’s security posture.
When security fails, it is rarely because people did not care. It is because the behaviour they needed was never reinforced.
Why modern cyber threats demand a behavioural response
Modern cybersecurity threats demand the same approach. Social engineering attacks are explicitly behavioural in nature. They are refined through iteration, testing and observation. Criminals learn what prompts action, what creates hesitation and what gets ignored. In effect, attackers are already running behavioural experiments at scale. Defenders who rely solely on awareness are fighting an adaptive opponent with static tools.
This is why, in practice, repetition matters more than information. People rarely make the right decision because they remember a policy document or a training video they watched months ago. They make the right decision because something feels off. That sense does not come from knowledge alone; it comes from exposure. Seeing similar scenarios multiple times, making mistakes in a safe environment and receiving immediate feedback builds pattern recognition. Overtime, caution stops feeling exceptional and starts feeling normal.
Rethinking the role of the employee
Awareness training persists not because organisations are careless, but because it is simple to deploy, easy to evidence and satisfies long-standing compliance expectations. It also reframes the role of the employee. In the old awareness model, people are often described as the weakest link, an unfortunate liability to be managed. In an approach focused on reliable action, they become an active part of the defence system. Their responses are trained, tested and improved,just like any other control. Importantly, this only works when mistakes are treated as data, not as failure. Behaviour does not change under blame; it changes under consistent, low-friction correction.
This shift has implications for how organisations design and talk about training. Annual,high-level sessions delivered primarily for compliance are poorly suited to behavioural change. Habits are not built once a year. They are built through short, frequent interactions that mirror real threats and reinforce expected responses. The most effective programmes are often quiet ones: small nudges, regular simulations, and simple guidance repeated until it sticks.
Why language still matters
Language matters here. Continuing to call this security awareness training risks anchoring expectations to the wrong outcome. Awareness suggests a passive state: I know about this. Behaviour suggests action: “This is what I do.” The distinction is subtle but important, particularly when boards and senior leaders assess value. The question should not be are our people aware of cyber risks, but do our people reliably respond in safer ways when it counts?
None of this means that education has no place. Understanding why threats exist and how they evolve still matters, especially for those designing controls and response strategies. For most users though, the frontline defence must be behavioural. When an attack arrives, there is no exam paper, no time to reason from first principles. There is only a moment in which the wrong click benefits the criminal and the right pause breaks the chain.
As threats continue to accelerate and personalise, this distinction will only grow sharper. Attackers are already leveraging AI to tailor messages, mimic internal language and strike at precisely the wrong moment. In that environment, the organisations that fare best will not be those with the most detailed training materials, but those whose people have practised safe responses so often that doing the right thing feels unremarkable
What this shift looks like in practice
It may be time to retire the term “security awareness training”, or at least to challenge what we mean by it. The future of human-centric cyber defence is not about knowing more. It is about behaving in the right way, consistently, under pressure and without needing to think too hard about it. When that becomes instinctive, awareness has done its job and behaviour has taken over.
Making this shift requires a different way of thinking about training, measurement and the role people play in security. For many organisations, this shift is already underway, even if the language has yet to catch up. The real measure of training is not what people know. It is what they do when it matters.
At Brigantia, we focus on building security behaviours that hold up under pressure, not just awareness that looks good on paper. Learn more about Brigantia or get in touch today.
Everything you need to reduce human risk — all in one platform.
/featured-knowbe4-background-June2024.png?width=720&height=499&name=featured-knowbe4-background-June2024.png)
KnowBe4 directly tackles these challenges, educating users to recognise threats and giving them the skills to make better security decisions. Through continuous training and real-world simulations, KnowBe4 turns users into a strong line of defence, providing clients with a proactive approach to mitigating vulnerabilities and strengthening overall security posture.
