Client Portal

Reinventing Security Awareness Training

Posted July 25, 2025 by Stacy Hagemann 

author profile picture

Stacy Hagemann

Stacy is a researcher by nature. She has built a strong reputation as a trusted advisor in enterprise cyber risk management. Her ability to listen to our clients while navigating them through use cases and feature sets to find the right solutions for their needs, is a talent she works hard to maintain. Always keeping up with the changes in the industry she has put her focus on the area of Risk Management. This pivotal area encompasses so many aspects of cybersecurity that it allows her additional areas of expertise in Data Security, Identity, Attack Surface Management, Security Assessments, and GRC to naturally flow into the elements when discussing a Risk Management strategy.

Tags:

There was a recent article in Dark Reading titled “We’ve All Been Wrong: Phishing Training Doesn’t Work” by Nate Nelson. It highlights a recent study over an eight-month period evaluating the effects of phishing training, along with previous studies from prior years testing a variety of methods – static, interactive, and simulated training. The conclusion is, it’s having little to no effect. 

We see this more as a case of doing the same old thing and expecting a different result. Phishing awareness training came to market in the early 2000s and there has been little to no innovation of how training is delivered or even the topics being covered. You are hard pressed to find any awareness training relating to data loss and AI, both of which are highly relevant in today’s digital world. 

The response should not be to say it’s not working, so scrap the training. We should be demanding more innovative and expanded cybersecurity training. The article states interactive training saw improved results, but still not what is expected. While changes within the awareness training market have been slow, we are seeing new solutions with features such as gamifying, personalization to users’ role, and employee ranking to increase competitiveness. Organizations need to take more ownership on training content and delivery, not just phishing, but also on data loss and AI. 

Similar to the Cloud Shared Responsibility Model, there should be an Organizational Cybersecurity Shared Responsibility Model. Everyone at the organization should understand their role, the associated risks and be working in their capacity to keep the business safe. When training is done on a more direct and engaging level this not only helps an organizations risk, but also every employee to personally understand their own risk at work and at home.

If you would like more information on Security Awareness Training (SAT), Security Culture and Behavior Programs (SCBP), or User Adaptive Risk Management (UARM), please email us at hello@sayers.com

Subscribe

    Addresses

  • Atlanta
    675 Mansell Road, Suite 115
    Roswell, GA 30076
  • Boston
    25 Walpole Park South, Suite 12, Walpole, MA 02081
  • Decatur
    120 W Trinity Pl
    Decatur, GA 30030
  • Tampa
    380 Park Place, Suite 130, Clearwater, FL 33759

 

  • Bloomington
    1701 E Empire St Ste 360-280 Bloomington, IL 61704
  • Chicago
    233 S Wacker Dr. Suite 9550 Chicago, IL 60606
  • Rosemont
    10275 W. Higgins Road, Suite 470 Rosemont, IL 60018
  • Vernon Hills - Corporate Headquarters
    960 Woodlands Parkway Vernon Hills, IL 60061

Have a Question?

Subscribe Contact us