The human factor challenge: Rethinking cybersecurity awareness training

By Immanuel BOAMA-WIAFE

The digital landscape keeps evolving at a very fast pace and as such, the rate of cyberattacks continues to escalate—posing serious concerns about organizational resilience.

Despite the growing widespread implementation of cybersecurity awareness programmes, the anticipated decline in incidents—particularly those involving social engineering—remains disappointingly low.

At the very core of this persistent vulnerability lies the almighty human factor, long recognized as the weakest link in cybersecurity. While many organizations invest in awareness campaigns and mandatory e-learning modules, the reality is that knowledge alone does not equal behaviour change.

Understanding what actually works – Insights from behavioural research

Drawing from behavioural psychology—specifically Social Cognitive Theory (SCT) and the Theory of Planned Behaviour (TPB)— I investigated what truly drives effective cybersecurity training. Using a mixed-methods approach—including expert interviews, surveys (n=163), and statistical analysis (SPSS and SmartPLS-4)—the research revealed the factors influencing employee behaviour change in response to cyber threats.

Four influencing factors:

1. Cybersecurity skills and confidence significantly improve employees’ ability to detect and respond to threats.
2. Observational learning, such as peer modelling and scenario-based role-play, reinforces secure behaviour through shared experience.
3. Subjective norms, or employees’ perceptions of what others expect from them, strongly influence their cybersecurity behaviour.
4. Perceived behavioural control, or confidence in one’s capability to act securely, is an indicator of effective cybersecurity behaviour.

Conversely, two commonly used training metrics were found to be statistically insignificant:

• Cybersecurity awareness (simply knowing that threats exist)
• Cybersecurity feedback (scores, assessments, or post-training quizzes)

These findings challenge the assumption that increased awareness or performance on a quiz automatically leads to better cyber hygiene.

Visual Summary: What really drives cybersecure behaviour

• Green = Statistically Significant
• Red = Not Significant

The above image shows that cybersecurity behaviour is most influenced by confidence, observational learning, and perceived control—not just awareness or feedback. The green bars show statistically significant predictors, while red ones do not. This helps drive home the idea that training programs should prioritize behavioural change strategies over mere awareness campaigns.

Implications for cybersecurity awareness trainers

The data shows a compelling picture; routine awareness campaigns and quizzes are no longer enough. For cybersecurity training to be effective, it must be designed to change behaviour—not just share information.

Questions every training coordinator should be asking:

1. Are we enabling observational learning?
   Integrating real-life attack simulations, peer led demos, and storytelling to increase retention and engagement.
2. Do employees feel Cyber confident, and not just aware?
   Using role-based, hands-on practice environments to build skill and self-efficacy.
3. Are we making secure behaviour the social norm?
   Leveraging on departmental dynamics, team challenges, and recognition/reward schemes to enforce and normalize good cyber behaviours.
4. Is our feedback meaningful or superficial?
   Move beyond one-off quizzes embed continuous micro-feedback loops into daily workflows—such as phishing simulations followed by guided learning moments

Training strategies recommended

To increase engagement and long-term impact, training should;

• Using behavioural modelling (live demos, Scenario – based models)
• Adopt microlearning formats tailored for busy work schedules
• Leveraging gamification and peer competition
• Regularly updating training content to align with  new threats
• Ensuring visible leadership buy-ins of secure practices

A broader call to action

The most Important fact is these findings challenge the outdated model of “tick-the-box training.” And rather offers actionable insights for any organization or industry seeking to strengthen its cybersecurity posture. Cybersecurity training must be woven into the very fabric of an organization’s cyber strategy and maturity roadmap—not treated as a once-a-year compliance exercise.

Training should evolve into a strategic, behavioural, and cultural intervention, designed to build resilience from the inside out. Cybersecurity is not just about systems and software—it’s about people. As cyber threats change, our training must adapt.

Author’s Note – These insights are based on my MSc research on cybersecurity training efficacy, where I had the opportunity to combine academic inquiry with real-world data. As cyber threats grow more human-centric, there is an urgent need to rethink how we train people—not just protect systems.

>>>the writer is a Cybersecurity Transformation Lead focused on building digital trust and resilience through human-centric security strategies.

The post The human factor challenge: Rethinking cybersecurity awareness training appeared first on The Business & Financial Times.

Read Full Story