Positive Approaches to Cybersecurity Training

Cybersecurity can be an intimidating subject for employees, but companies can use a positive approach to keep employees accountable.

Shaun McAlmont, Chief Executive Officer, Ninjio

May 16, 2024

4 Min Read
A key to happiness concept with a key and hand drawn happy faces isolated in a white background.
Yau Ming Low via Alamy Stock

A central responsibility for CISOs and other security leaders is building stakeholder support for cybersecurity across the organization -- from the board to entry-level employees. One way to do this is by focusing on positive reinforcement. This element of engagement is often overlooked, as it can be difficult to communicate about serious issues like cybersecurity in positive ways. But a culture of cybersecurity need not be based on fear. 

While core aspects of accountability include identifying employees’ psychological vulnerabilities, closing knowledge and skills gaps, and addressing mistakes that could put the organization at risk, none of these elements of awareness training require punitive interactions. Punishing and criticizing employees is more likely to frustrate and discourage them than inspire them to do better. When cybersecurity education is constructive, employees will be far more inclined to pay close attention and put what they learn into practice.  

Effective awareness training is all about sustainable behavior change, which means providing compelling incentives for employees to adopt healthier cybersecurity attitudes and habits. Employees shouldn’t be penalized for making mistakes -- they should instead receive helpful feedback on where they can improve, along with frequent reminders that they have the power to keep the organization safe from cyberattacks.  

Related:6 Ways to Manage Cybersecurity Burnout and Support Teams Better

How Awareness Training Can Empower Your Workforce 

Social engineering is one of the most destructive cybercriminal tactics -- 74% of all breaches involve a human element, and phishing ranks among the most common and harmful cyberattacks. When employees see statistics like these, it’s natural to feel intimidated -- how can they hope to protect the company from ever-evolving cyberattacks? This challenge is more daunting as social engineering attacks become increasingly sophisticated in the age of AI.  

But just as human error is to blame for a huge proportion of successful cyberattacks, employee awareness deserves credit for preventing countless more. IBM reports that one of the top mitigating factors of the total cost of data breaches is employee training, and given the continued reliance on social engineering, that training has never been more vital for protecting the company. These are points that security leaders have to consistently emphasize – when employees see that they’re capable of defending the organization, they will feel empowered instead of intimidated.  

By offering a positive vision of employees’ integral role in protecting the company, security leaders will show them that they don’t have to be victims. This is a critical step toward building a culture of cybersecurity at the company.  

Related:IT Security Hiring Must Adapt to Skills Shortages

Positive Reinforcement Works Better Than Punishment 

While accountability is essential for any training program, security leaders must be able to show employees what they’re doing right and wrong without attacking or belittling them. These leaders must establish security assessments and incident reporting mechanisms that will incentivize employees to keep them updated, even if those employees have made a mistake that put the organization at risk. 

It’s crucial for security teams to remember that employees are already under immense pressure. From the endless sprint to keep pace with rapid digital transformation to the dramatic shifts in how and where they work over the past few years, workplace stressors are plentiful. Positive reinforcement is particularly important as employee stress reaches all-time highs. To create a sustainable culture of cybersecurity, CISOs and other security leaders shouldn’t allow cybersecurity awareness training to become an extra burden to already-stressed employees.  

Companies can’t afford to alienate employees with oppressive threats and punishments. Such negative reinforcement will ensure that they either disengage or actively resist efforts to build up their cybersecurity awareness. Security leaders aren’t drill sergeants – they need to be educators capable of capturing the attention of busy employees who already have countless other distractions.  

Related:The Cybersecurity Crucible: Unsung CISO Struggles Under Fire

Demonstrating the Value of Awareness Training 

At a time when two-thirds of employees are struggling to keep up with constantly changing skills requirements, security leaders have an unprecedented opportunity to earn stakeholder buy-in for cybersecurity awareness training programs.  

According to Microsoft, 82% of company leaders say employees will need new skills for the AI era. This is particularly true for cybersecurity, as AI-powered cyberattacks like LLM-generated phishing messages and deepfakes are making social engineering attacks far more sophisticated and destructive. As the demand for cybersecurity skills surges, security leaders can highlight the ways these skills will help employees advance their careers and become better equipped for the workplace of tomorrow.  

Security leaders know employees have a pivotal role to play in protecting the company from cyberattacks, and the best way to build a culture of cybersecurity is to make sure employees know it, too. Beyond demonstrating all the ways employees can defend the organization with real-world examples of cyberattacks that could have been prevented through greater cyber awareness, security leaders can personalize training to account for their unique skill levels, behavioral profiles, and learning styles. This will show employees that the company is invested in their individual progress and give them a more engaging educational experience.  

When security leaders empower employees to become cyber defenders by showing them why security awareness training matters and focusing on positive reinforcement, they will build a culture of cybersecurity that will last for many years to come.  

About the Author

Shaun McAlmont

Chief Executive Officer, Ninjio

Dr. Shaun McAlmont is CEO of Ninjio Cybersecurity Awareness Training and is one of the nation’s leading education and training executives. Prior to NINJIO he served as President of Career and Workforce Training at Stride, Inc., had a decade-long tenure at Lincoln Educational Services, where he was President and CEO, and served as CEO of Neumont College of Computer Science. His workforce and Ed Tech experience is supported by early student development roles at Stanford and Brigham Young Universities. He is a former NCAA and international athlete and serves on the BorgWarner and Lee Enterprises boards of directors. He earned his doctoral degree in higher education, with distinction, from the University of Pennsylvania, a master’s degree from the University of San Francisco, and his bachelor’s degree from BYU. 

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights