Guardian360
Start free trial
← All posts

Cybersecurity

Stop training people. Start fixing technology.

By Jan Martijn Broekhof ·

Why security awareness training is a comforting lie — and what we should do instead

Last week at the ESET Cyber Defence Summit, Prof. Bibi van den Berg — Professor of Cybersecurity Governance at Leiden University and member of the Dutch Cyber Security Council — said something that most of the audience already suspected but few dared to say out loud: the research consistently shows that security awareness training barely moves the needle on actual secure behaviour. The room went quiet for a moment. Then, slowly, heads started nodding.

I was one of those nodding heads. Not because I enjoy being a contrarian, but because this matches everything I’ve seen in over a decade of working in information security. We have spent billions on awareness programmes, phishing simulations, and e-learning modules. And yet, breaches keep happening. The click rates barely budge. The humans keep being human.

The research is in, and it’s damning

Van den Berg is not just presenting opinions from the stage. She and her colleagues at Leiden University have produced the research to back it up. In 2024, Prümmer, Van Steen, and Van den Berg published a meta-analysis that examined 69 studies on the effectiveness of cybersecurity training. Their conclusion is striking: while training does improve knowledge and awareness, people learn to identify threats in theory, the effect on actual behaviour is a different story entirely. When studies used independent groups to measure real behaviour change, they found only a small, statistically non-significant effect. In plain language: “people know what they should do, but they do not reliably do it.”

This finding did not come out of nowhere. A year earlier, the same research team published a systematic review of current cybersecurity training methods in the same journal. That review found that merely providing information has a limited effect on changing behaviour, that training programmes are often too narrow in scope, and that employees frequently lack enthusiasm for the material. The translation of training into workplace behaviour is, in the authors’ own framing, a difficult undertaking. When using methods with limited efficacy, effort and resources are wasted.

What makes these findings particularly devastating is the moderator analysis: the meta-analysis tested whether the type of training method, the platform, the social setting, or the use of multiple methods made a significant difference. None of them did. It is not that we have not found the right training method yet. The entire paradigm of training-as-risk-reduction is fundamentally limited.

The mathematical certainty of failure

Here’s the uncomfortable truth that our industry refuses to accept: even if you train every employee to a 99% accuracy rate (which would be an extraordinary achievement far beyond what the research shows is possible) the maths still works against you. In an organisation with 1,000 employees, each making dozens of security-relevant decisions every day, you are looking at tens of thousands of opportunities for error. Every single day. The probability that at least one person will do the wrong thing at the wrong time is, for all practical purposes, one hundred percent.

This is not a training problem. This is a systems design problem. And you do not solve systems design problems by lecturing the people who are trapped inside a badly designed system.

The phishing simulation industry is selling placebos

At Guardian360, we stopped offering phishing tests several years ago. This was not a popular business decision because phishing simulations are a lucrative market. But we stopped because we could not, in good conscience, keep selling a service that we knew did not meaningfully reduce risk.

Phishing simulations measure a single moment in time. They tell you that Janet in accounting clicked a fake link on a Tuesday afternoon. They do not tell you why. Was she rushed? Was the email indistinguishable from a legitimate one? Was she on her phone while walking to a meeting? The test creates data, but not insight. And the typical organisational response, in this case: more training for Janet, treats the symptom while ignoring the disease.

Worse, phishing tests create a false sense of security. “Our click rate went from 25% to 12%,” the CISO tells the board, and everyone applauds. But 12% of a thousand employees is still 120 open doors. And the attacker only needs one. The Leiden meta-analysis confirms this intuition: even across the most favourable studies, the behavioural effect is modest at best and non-significant at worst.

Technology must carry the weight

My conviction, hardened by years of experience and now backed by the work of Van den Berg and her colleagues, is simple: technology has to solve this. Not as a complement to training. As the primary line of defence.

What does that mean in practice? It means we stop asking humans to be the last line of defence and start building systems where humans cannot easily make catastrophic mistakes. Think about it: we do not train airline passengers to inspect the wing rivets before takeoff. We build aircraft that are safe by design, maintained by certified engineers, and monitored by automated systems. We should demand the same philosophy from our digital infrastructure.

Concretely, this means investing in technologies that make security invisible and inevitable. Passwordless authentication removes the entire category of credential theft. Hardware security keys make phishing technically impossible, not just improbable. Endpoint detection and response catches the malware that someone inevitably downloads. Email filtering stops the malicious message before it reaches the inbox. Zero-trust architectures limit the blast radius when, not if, someone makes a mistake.

Making security the path of least resistance

The fundamental error of the awareness-training paradigm is that it frames security as something people must actively choose, over and over, thousands of times a day, against the pull of convenience, urgency, and habit. That is not a realistic expectation of human beings. It never was.

The paradigm we need is different. Security should be the default. The easy path and the secure path should be the same path. When they diverge, when the secure option requires more steps, more friction, more cognitive load, the system is broken, not the user.

This is not a radical idea. It is how we think about safety in virtually every other domain. Road engineers do not rely on driver training alone to prevent accidents, they install guardrails, design crumple zones, and mandate airbags. Hospital architects do not rely on handwashing posters, they install automatic dispensers at every doorway. And yet in cybersecurity, we keep putting up the posters and wondering why people walk past them.

The courage to change the conversation

I know this position makes some people uncomfortable. The security awareness industry is worth billions. Careers have been built on it. Compliance frameworks require it. And yes, I am not saying we should tell employees absolutely nothing about security. Basic hygiene like understanding why you should not share your password and recognising that threats exist is table stakes. The Leiden research confirms that knowledge and awareness do improve with training. But knowledge without behavioural change is an expensive illusion of security.

It is time to have the courage to redirect those budgets, that energy, and that executive attention from training programmes to technology investments that actually move the needle. Not because technology is perfect (it is not) but because it is scalable, consistent, and does not have a bad day on a Tuesday afternoon.

Stop training people. Start fixing technology. Your users are not the weakest link, your systems are.

References

Prümmer, J., Van Steen, T., & Van den Berg, B. (2024). Assessing the effect of cybersecurity training on end-users: A meta-analysis. Computers & Security, 150, 104206.

Prümmer, J., Van Steen, T., & Van den Berg, B. (2024). A systematic review of current cybersecurity training methods. Computers & Security, 136, 103585.

Van den Berg, B. (2026). Round table discussion at the ESET Cyber Defence Summit.