Why does security awareness training change behaviour?

Effective training combines knowledge, recognition and practice (phishing simulations). Short monthly modules work better than annual sessions because repetition anchors behaviour.

How do I measure the effectiveness of my awareness programme?

Use phishing click rate as a behavioural measure, track knowledge quiz scores, and monitor the number of suspicious email reports. A drop in click rate over 6 months is a reliable indicator.

How does 2LRN4 support behaviour change?

2LRN4 links risk-based modules (per threat type) to phishing simulations and reporting. Managers see at department level how behaviour develops.

How do I get employees to actually take security training?

The hardest question in any awareness discussion is not which content to choose or which platform to buy. It is how to get employees to actually take the training, with attention, and even remember what was in it. In practice success depends less on content than on how you embed the programme. What works, and what does not?

Why adoption is the real problem, not content

Many organisations spend years looking for the right e-learning content while the real problem sits elsewhere: employees do not find the time, do not see the importance, or are tired of too many mandatory modules. The content can be crystal clear; if adoption stays low, the programme stalls.

In practice no organisation runs on 100 percent voluntary participation. The question is therefore not whether to make it mandatory, but how to position it so employees also find it useful. People readily follow training they see the point of, for their own work, their private life, or their family at home.

Three elements drive adoption: motivation (why would I do this?), opportunity (do I have time now?) and ease (will it cost me much effort?). Steering on only one of those does not pull the other two along. A mandatory module without motivation produces ticks, not behaviour.

Three types of resistance, and how to handle them

The employees who do not just join in are not one group. Three resistance types occur most often in practice, each calling for a different approach.

The sceptical senior. "I have worked here for 25 years and never been hacked." Not a convincing fact, but a logic that fits their worldview. Approach: acknowledge experience, ask their opinion, involve them as adviser or ambassador. People who feel heard often move from blocker to ally.
The busy specialist. "I really do not have time for this." Often a feeling that the work is not recognised. Approach: make the programme as light as possible for this group (microlearning of four to eight minutes), and let them choose the moment themselves within a reasonable deadline. Resistance fades when control sits with the employee.
The cynic. "This is only for show, they just want to tick boxes." Often the result of past bad-training experiences. Approach: show what the organisation does with it (reporting, incident follow-up, policy adjustments). Nothing dispels cynicism faster than visible action.

Top-down and bottom-up: management and ambassadors

A programme imposed only from the top feels like a rule. A programme carried only by volunteers lacks mandate. What works is the combination: visible board involvement and ambassadors from the heart of the organisation.

Visible board involvement is more than a kick-off email. A short video of the executive saying why this matters, an executive who is the first to complete the annual training and lets that be known, a note in the board minutes about progress. Under the Dutch Cybersecurity Act board training is mandatory anyway; use that requirement to make it visible rather than to quietly tick it off.

Ambassadors are the people already active: colleagues who report phishing, give feedback on training, understand its importance. Give them their own channel (a Teams or Slack space), keep them informed of incidents and near-misses, let them help others. The ambassador programme also acts as an early-warning system when the programme starts to stall.

Make it short, relevant and personally applicable

One of the strongest levers for adoption is not technology but format. Short modules of four to eight minutes get done; modules of thirty-five minutes get postponed until a quarterly crisis forces them through. Microlearning is not a fad, it is a working approach.

Make every module relevant to the audience. A finance employee learns more from a module on invoice fraud than from a generic phishing primer. A new joiner learns more from an onboarding module showing what can go wrong in the first week. Generic 'for everyone' modules work worse than role-based content, even though they look efficient.

Also translate every theme to private life. A password module becomes attractive if it also shows how to secure your Netflix or banking account. Employees learn without resistance in their private domain, and that knowledge automatically travels to the office. The training stops feeling like an organisational obligation and starts feeling like something that makes their own life safer.

Mandatory or voluntary? A nuance that works

Fully voluntary leads to far too low participation in almost every organisation. Fully mandatory without communication breeds resistance. The workable middle ground usually looks like this: a short base training (yearly, twenty to thirty minutes in total, broken up into microlearning blocks) is mandatory and visibly linked to compliance such as NIS2 or the Dutch Cybersecurity Act. Additional modules (role-based, theme-driven) are recommended or offered, not enforced.

Make the mandate reasonable: deadlines of weeks not hours; freedom to choose the moment within that window; reminders that work without sounding patronising. And explain why: for the organisation, for them personally, for compliance. An employee who understands the why approaches a mandatory training differently from someone who experiences it as another tick.

And finally: distinguish finite from continual. A one-off mandatory training is an event. A recurring short module of a few minutes per month is a rhythm, and rhythms are much easier to adopt. After a few months the rhythm itself becomes self-evident.

How to measure and steer adoption

Adoption is measurable, and you measure all three elements together. Participation (what share starts the module?), completion (what share finishes?) and behaviour change (click and report rates in phishing simulations).

A healthy organisation, within twelve to eighteen months, reaches over 90 percent completion of the annual base training, a phishing-simulation report rate of 60 to 75 percent, and a click rate dropping to 5 to 10 percent. More important than the absolute numbers is the direction: is participation rising or stalling?

Steer on these numbers together, not in isolation. High participation without behaviour change signals content that does not match. High completion with low report rate signals click-through behaviour without reading. A balanced view across all three measures gives you the real picture.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the training page

Sources

FAQ

How do I convince employees to take security training?

Explain why: for themselves (privately), for their team and for compliance. Keep modules short (four to eight minutes), make them relevant to the daily job, and have management visibly lead by example. Pure obligation without explanation produces ticks, not behaviour.

Should security training be mandatory?

In practice yes: voluntary leads to too little participation. Make the base training mandatory and tie it to compliance (NIS2, Cbw). Additional modules can be recommended rather than enforced. Make deadlines reasonable and explain the why.

What do I do with employees who refuse?

Examine the type of resistance first. The sceptical senior responds to recognition and involvement (ask their advice, make them an ambassador). The busy specialist responds to space (microlearning, freedom over timing). The cynic responds to visible action (show that training leads to policy change and incident follow-up).

How long should mandatory training take?

For an annual base, twenty to thirty minutes in total works well, split into microlearning blocks of four to eight minutes spread over several months. One long two-hour session demonstrably leads to lower retention and higher resistance.

How do I measure whether adoption is actually working?

Combine three numbers: participation rate (who starts), completion rate (who finishes) and behaviour metrics (click and report rates in phishing simulations). High completion without behaviour change suggests click-through, not real adoption.

What role does the board play in adoption?

A big one. A short executive video, an executive who is the first to complete training, and periodic discussion at board level. Under the Dutch Cybersecurity Act board training is legally required anyway; make that visible as role-model behaviour.

Does gamification help adoption?

Sometimes, not always. Gamification works for specific topics and audiences, especially with microlearning as a recurring rhythm. Used wrong (too childish, too competitive) it backfires. Test with a small pilot before a broad rollout.