Skip to content

Why Isn't My Security Awareness Campaign Working?


Many times, organisations will roll out a security awareness campaign with the best of intentions, but it doesn’t have the desired effect.

Find out why ...

Why isn't my security awareness campaign working?

Despite repeatedly informing users of the dangers of reusing passwords, plugging in unknown USB devices, or blindly clicking links, their behaviour is at odds with the information you’re giving them.  So, why are they still making poor security choices despite all the information you’re giving them?  Are they stupid?  Is training worthless?  There are many factors at play, but it’s easy to boil it down to one simple phrase:  “Your users aren’t stupid, they’re human”.

As BJ Fogg, founder of the Stanford University Behaviour Design Lab described when it comes to getting humans to perform specific behaviours he said, “3 truths about human nature:  We’re lazy, social, and creatures of habit.  Design products for this reality.”  What this means is that if you design something that goes against human nature, it will most likely fail.


Three truths about human nature:

We're lazy, social, and creatures of habit.


So, how can we get people to make better security decisions?

The good news is that you can and you should design your information security campaign and related policies around the realities of human nature.  For your security awareness campaign to be effective, there are three things your organisation needs to address in how the information is delivered and measured.


  1. Do you care more about what your users know, or do?

    The first point is one of reflection.  Too often we are concerned with the information that a user is provided as opposed to the behaviour we want to change.  Think of it like this, driving down the road, I may be aware that the speed limit is 30mph, but if that doesn’t translate into me driving at 30mph, the information is pretty pointless.

  2. Plan like a marketer, think like an attacker

    Attackers will continually attack your users and try every trick in the book.  You need to plan your campaign around this reality and be consistent in testing users, and delivering learning across all mediums, whether that be executive messages, learning modules, posters, screensavers, newsletters, etc.  Each aspect, like a good marketing campaign, should reinforce the other.

  3. Changing behaviour takes time

    The final point is that even the best of security awareness campaigns will take some time before results are seen.  The key is to be consistent and have patience.  A bit like embarking on a fitness regime, it won’t happen overnight, but eventually the results will show.

Why isn't my security awareness campaign working?

Request a no-obligation consultation with boxxe and KnowBe4 and discover how you can enable your users to make smarter security decisions.

Contact us on the number below or complete the form and we'll be in touch.

0330 236 9429

I would like to receive news and updates:

Explore boxxe's industry leading cybersecurity services

Protecting your business from cyber risks and threats, we facilitate and support your growth so you can operate safely. Explore further below.

Managed Threat Detection and Response

Managed threat detection responds to and counters cybersecurity risks, ensuring proactive protection and rapid incident resolution.


Penetration Testing

Adopt a programme of testing, remediation and management to combat your ever-changing security risks


Managed Endpoint Protection

Complete protection for all your endpoints with boxxe, including desktops (all major operating systems), laptops, servers, tablets, smartphones


Secure Content Delivery Service

Protect your organisation from malicious attacks, website spoofing and corrupt files


Security Solution Deployment

Protect your organisation from malicious attacks, website spoofing and corrupt files with our deep understanding of cybersecurity in all aspects of solution deployment and the whole development lifecycle


Vulnerability Management, Detection & Response

We identify your exposure to security vulnerabilities, safeguard your IT infrastructure and relieve the workload on your IT teams


Digital Forensics & Incident Response

With a full and detailed picture of security incidents, get your business back up and running while identifying and closing security vulnerabilities


Managed Firewall

We monitor, manage and maintain your firewalls, freeing up your time to concentrate on higher-value priorities to help your business thrive


Managed Email Gateway

Protect your business network from advanced threats and known risks, using security controls to manage information flowing in and out of your organisation