2LRN4 security awareness platform
← Back to knowledge base

The Buy-in Problem

Why privacy and security awareness programmes rarely fail because of the e-learning, but because of a lack of management involvement, and how to get management on board after all.

Recently updated

From insight to action

See how to turn this topic into a practical awareness program with training, phishing simulations and clear management reporting.

Book demo View the primary solution page
Alain Rees
Founder & Security Awareness Specialist · 2LRN4

In brief

  1. Management involvement ranks among the strongest and most consistently demonstrated predictors of secure employee behaviour. This emerges from a meta-analysis of 95 empirical studies, from several systematic literature reviews and from research among experienced awareness professionals. An awareness programme is therefore not a product you roll out, but a change process of which management forms a load-bearing part.
  2. That involvement works largely indirectly, through culture and role-modelling. Employees take their cue from what their managers do, not from what they say. Symbolic support, such as a one-off announcement from the board, therefore changes little, whereas visible participation, role-modelling and steering do. In addition, management controls the opportunity to learn, namely the budget, the time during working hours and the priority. It is precisely that opportunity that goes missing the moment awareness is understood as "just rolling out an e-learning".
  3. You do not convince management with fear, but with three tracks at once: the legal duty of care under the NIS2 directive and its national implementation, which makes the board itself responsible and subject to a training obligation; a concrete and small request for behaviour instead of a vague request for support; and reporting in the language of risk instead of in completion percentages.

When someone sees a privacy and security awareness programme fail, they usually look for the cause close to the programme itself. Perhaps the e-learning was too dull, the communication too thin or the employees too busy. Sometimes the cause does indeed lie in the programme itself, for example when security and privacy are treated as one and the same while they call for a different approach, as we showed in The difference between security awareness and privacy awareness. In practice, however, something else often precedes all of this: a management team that sums awareness up as "it's just rolling out an e-learning", and that subsequently frees up no more budget, time and attention for it than for an arbitrary software licence.

This report sets out what the scientific research says about the role of management in awareness programmes, why that role weighs so heavily and how, as a professional, you can still bring a reluctant management team on board.

About this study

Type
Literature review based on peer-reviewed research and the European NIS2 directive.
Sources
A meta-analysis of 95 empirical studies, three systematic literature reviews, field research among awareness professionals and board research from MIT Sloan and Bentley University.
Reference date
June 2026.
Main question
To what extent does management involvement determine whether a privacy and security awareness programme succeeds or fails, and how do you convince a management team that sees awareness as rolling out an e-learning?

Sub-questions

  1. What does the research mean by management involvement, and which forms does it distinguish?
  2. How strong is the relationship between management involvement and secure employee behaviour, compared with other factors?
  3. Through which mechanism does management influence that behaviour?
  4. Is management involvement a critical success factor for the awareness programme itself?
  5. What happens in practice when that involvement is absent?
  6. Which forms of involvement have a demonstrable effect, and which remain symbolic?
  7. With which arguments and measures do you convince a reluctant management team?

01 · FindingManagement involvement is not a precondition, but a primary factor

The research into why employees do or do not behave securely is extensive. The most complete summary is the meta-analysis by Cram, D'Arcy and Proudfoot (2019) in MIS Quarterly, in which 95 empirical studies and 401 examined variables were reduced to seventeen categories of factors that predict compliance with security policy. The common thread running through this and later review studies is that the decisive factors are not technical but organisational: the attitudes and personal norms of employees, the social environment in which they work and the organisational culture. Strikingly, the classic instrument of many managers, reward and punishment, turns out to be one of the weakest predictors.

A systematic literature review covering the period 2001 to 2023 inclusive reaches the same core conclusion: support from top management and the organisational culture rank, together with the perceived effectiveness of the measures, among the determining factors for compliance behaviour (García de Blanes-Sebastián et al., 2025). And in the review study by Khando and colleagues (2021), which looked specifically at ways of increasing employees' security awareness, management participation emerges as one of the factors with the strongest effect on that awareness.

If managers are not involved, the other members of the organisation are not either.

Finding by Khando and colleagues (2021)

The same picture emerges when you put the question not to the literature, but to the people who build awareness programmes. Alyami and colleagues (2023, 2024) interviewed experienced professionals in the United States, the United Kingdom, Ireland and the Middle East, and derived from this eleven critical success factors for the effectiveness of security education, training and awareness programmes, ordered along the life cycle of such a programme. Management support and the availability of resources run through these as a precondition: without that foundation, the remaining success factors, such as tailoring and ongoing evaluation, simply never get off the ground.

The conclusion of this first finding is therefore clear. In the research, management involvement is not a desirable extra, but one of the primary factors that determine whether an awareness programme changes employee behaviour.

From management participation to safe behaviour The influence runs both directly and via culture Management participation Security culture Attitude Social norm Perceived control in the employee Safe behaviour direct effect indirect effect, via culture Conceptual representation. Based on Hu, Dinev, Hart and Cooke (2012), Decision Sciences.

Figure 1 From management participation to secure behaviour. The participation of top management works through, both directly and via the security culture, to the attitude, the social norm and the perceived control of employees, and thereby to their behaviour. After Hu, Dinev, Hart and Cooke (2012).

02 · FindingInvolvement works through culture and role-modelling, not through the announcement email

So how exactly does this management influence work? The classic study on this is that of Hu, Dinev, Hart and Cooke (2012) in Decision Sciences. They placed the role of top management and the organisational culture within the theory of planned behaviour and tested that model with survey research and structural equation models. The result: the participation of top management in security initiatives has both a direct and an indirect influence on employees' attitude towards compliance, on the social norm they experience and on the extent to which they consider themselves capable of doing the right thing. A significant part of that influence runs through the organisational culture: management shapes the culture, and the culture shapes behaviour.

The key word in that study is participation, and that is no coincidence. The researchers draw an emphatic distinction between active management participation and support at a distance. A board that approves the programme and then takes no further notice of it provides support. A board that is the first to complete the training itself, talks about it in team meetings and asks about it in the quarterly reviews participates. Only that second form changes what employees regard as normal.

Research into leadership styles confirms this. Guhr, Lebek and Breitner (2019) linked the so-called full-range leadership model to employees' security behaviour, and found that inspiring and engaged leadership not only increases the willingness to follow the rules, but also the willingness to actively contribute, for example by reporting incidents or speaking to colleagues. Passive leadership, which only springs into action when something goes wrong, does not show these effects. And in the review study by Uchendu, Nurse, Bada and Furnell (2021) on building a security culture, management support is broken down into two dimensions: the importance that management attaches to security, and the commitment it visibly shows for it. Both full support and involvement from the top turn out to be necessary, because one does not work without the other.

For practice this means that the usual interpretation of management involvement, an announcement email at the start of the campaign, yields almost nothing. Employees read that email, then look at the behaviour of their own manager and take their cue from that. A director who shares his password with his management assistant tells the organisation more about the importance of security than ten campaigns combined.

Four forms of management involvement The demonstrable effect sits mainly in the top three steps 1 · Support words and budget 2 · Participation active involvement in the programme 3 · Role-modelling doing what the policy asks 4 · Governance steering, overseeing, accountability symbolic structural effect on behaviour

Figure 2 Four forms of management involvement, rising from symbolic to structural: support (words and budget), participation (active involvement), role-modelling (doing yourself what the policy requires) and governance (steering, overseeing and accounting for). The research shows that the effect lies mainly in the top three rungs.

03 · ExplanationManagement controls the opportunity, and that cannot be bought from a vendor

Why, then, is the role of management so decisive, even though it rarely develops or delivers the training itself? The answer becomes visible the moment you set the COM-B model from behavioural science alongside it (Michie, van Stralen and West, 2011). Secure behaviour only arises when three things come together: capability (knowledge and skill), motivation (the will) and opportunity (the physical and social space to do the right thing).

An e-learning provides the capability, and with a good design also part of the motivation. The opportunity, however, a vendor cannot deliver, because it lies almost entirely in the hands of management. Management determines whether employees may take the training during working hours or whether it has to be added on in the evening. It determines whether there is budget for repetition and tailoring, or only for a one-off licence. And it determines whether awareness is a fixed item on the agenda of the team meeting, or an annual obligation that team leaders quickly click away. Through the social norm and the role-modelling from the previous section, it moreover determines a sizeable part of the motivation.

This makes the reasoning "it's just rolling out an e-learning" fall into place. Anyone who reasons this way buys in only the first of the three preconditions for behaviour change and leaves precisely the two preconditions that only the organisation itself can provide. That is no minor detail. The meta-analysis by Prümmer, van Steen and van den Berg (2024), which we also cited in our report on phishing simulations, shows that training only changes behaviour noticeably when it is active, repeated and tailored to the target group. Repetition costs time during working hours, tailoring costs budget and active learning formats demand the attention of managers. The forms of training that demonstrably work are therefore precisely the forms that, without management involvement, are the first to be cut.

Bada, Sasse and Nurse (2015) already described why awareness campaigns so often fail to change behaviour: they broadcast information without changing the environment, they are one-off instead of ongoing, and they are not anchored in the organisation. Each of these three failure factors stems at its core from a decision, or the absence of one, at management level.

One caveat is in order here. Most research in this field is correlational: it shows strong and consistent relationships, but does not prove in the strict sense that the absence of management involvement is the cause of the failure. What is certain is that management involvement ranks among the strongest predictors of success, and that its absence undermines precisely the mechanisms on which behaviour change depends: the culture, the social norm and the opportunity to learn. For practice, that distinction matters less than it sounds. After all, the question is not who is to blame when a programme fails, but which preconditions you must arrange in advance to make it succeed.

Who delivers what? The COM-B model and management An e-learning delivers capability; only management can deliver opportunity Capability being able knowledge and skill delivered by training and e-learning Motivation wanting shaped partly by norms and role-modelling partly in the hands of management Opportunity being given the room work-time, budget, repetition and priority almost entirely in the hands of management Safe behaviour Conceptual representation. Based on Michie, van Stralen and West (2011).

Figure 3 The COM-B model with the role of management. The e-learning provides the capability. The motivation is shaped in part by the norms and the role-modelling of managers. The opportunity, that is the time, the budget and the priority, lies almost entirely in the hands of management. After Michie, van Stralen and West (2011).

04 · ApproachHow to convince management

The preceding findings lead to an uncomfortable but usable conclusion: convincing management is not a side activity alongside the awareness programme, but its first phase. The research, supplemented by board research from MIT Sloan and Bentley University among directors and supervisory board members (Proudfoot, Cram, Madnick and Coden, 2023), points to five steps.

  1. Start with the duty of care and not with the threat.Frightening images of hackers do little for a board; awareness of its own responsibility does so all the more. The NIS2 directive and its national implementation place responsibility for the management measures explicitly with the board: it must approve the measures, oversee their implementation and can be held personally liable in the event of neglect. Board members are moreover required to follow training themselves and are expected to offer their employees comparable training (Directive (EU) 2022/2555, Article 20). Awareness is therefore not an offer from the CISO, but a legal task of the board for which the CISO provides support. That changes the tone of the conversation entirely.
  2. Do not ask for support, but for behaviour."We are counting on the support of the board" produces approving nods and changes nothing. Instead, ask for three or four concrete, small behaviours that together do make the difference: management completes the training itself and first, talks about it in its own message or meeting, fixes the topic on its own meeting agenda and regularly asks managers about progress in their teams. These are the forms of participation and role-modelling whose effect the research demonstrates (Hu et al., 2012; Khando et al., 2021), and they cost a board member at most a few hours a year.
  3. Make the opportunity an explicit part of the decision.Do not put the purchase of an e-learning to management, but a decision with three components: the content (the programme), the opportunity (learning time during working hours, a rhythm of repetition and room for tailoring per target group) and management's own role (the behaviours from step 2). Anyone who has only the first component approved organises the failure of the other two. In doing so, make the cost of the opportunity visible in hours per employee per year, so that the board knows what it is really deciding about.
  4. Report in the language of risk and not in completion percentages.The board research shows that directors struggle with cybersecurity because the information they receive is too technical or too superficial (Proudfoot et al., 2023). A completion percentage for the e-learning tells a board nothing and in fact reinforces the image of awareness as a tick-box product. Report instead on indicators that touch on behaviour and risk, such as the reporting behaviour for suspicious messages, the outcomes per risk group and the residual risks the board accepts. In this way awareness becomes part of the risk dialogue in which a board feels at home, and which it must also steer under NIS2 and its national implementation.
  5. Use the science as a crowbar.To "it's just rolling out an e-learning" there is a short and honest answer: that has already been tried and studied, and that is not how it works. One-off, passive instruction barely changes behaviour; programmes with repetition, tailoring and visible management involvement do (Prümmer et al., 2024; Bada et al., 2015; Cram et al., 2019). A board that opts for the bare e-learning therefore knowingly and deliberately chooses the variant whose limited effect has been demonstrated. Few boards want to see that choice recorded in black and white in the minutes.
The persuasion route Five steps to turn management from spectator into participant 1 Duty of care NIS2: the board is responsible itself and required to train 2 Ask for behaviour not buy-in, but three or four concrete, small behaviours 3 Full decision content, opportunity and management's own role in one proposal 4 Risk language reporting and residual risks instead of completion rates 5 Science the bare e-learning is the variant whose limited effect has been shown Convincing management is not a side activity next to the programme. It is the first phase of the programme.

Figure 4 The persuasion route in five steps: from the legal duty of care, via a concrete request for behaviour and a complete decision, to reporting in the language of risk, underpinned by the current state of the science.

05 · ConclusionNot the e-learning, but the resonance

In our report on phishing simulations the conclusion was that the problem does not lie with the employee. The conclusion of this report is its mirror image: the problem usually does not lie with the e-learning either. An awareness programme only changes behaviour when knowledge, motivation and opportunity come together. Of those three, the vendor provides only the knowledge and at most part of the motivation. The rest must come from the organisation itself, and that is the resonance the programme finds there: the manager who does or does not talk about it, the time that is or is not freed up for it and the director who does or does not do, himself, what the policy requires.

The scientific research is strikingly unanimous on this. Management involvement ranks among the strongest predictors of secure behaviour, it works through culture and role-modelling rather than through announcements, and its absence explains why so many programmes degenerate into an annual clicking obligation. For the professional, this means that the conversation with management is not preliminary work, but the heart of the profession. And since NIS2 and its national implementation, that professional stands stronger in that conversation than ever: the question is no longer whether the board wants to be involved in awareness, but whether it wants to carry out its legal task with the approach whose effect has been demonstrated.

Limitations

  • This report is a literature review that summarises existing scientific research, and contains no new research of its own.
  • Most of the cited research is correlational and partly measures behavioural intentions rather than observed behaviour; this demonstrates strong and consistent relationships, but no strictly causal proof.
  • The research into management involvement focuses largely on compliance with security policy in a broad sense; studies that specifically test the failure of awareness programmes against management factors are scarcer.
  • The cited studies were carried out in a range of countries and sectors, as a result of which the effects may differ per organisation and culture.

Sources

  1. Alyami, A., Sammon, D., Neville, K., and Mahony, C. (2023). The critical success factors for Security Education, Training and Awareness (SETA) program effectiveness: a lifecycle model. Information Technology & People, 36(8), 94–125. emerald.com/itp/article/36/8/94
  2. Alyami, A., Sammon, D., Neville, K., and Mahony, C. (2024). Critical success factors for Security Education, Training and Awareness (SETA) programme effectiveness: an empirical comparison of practitioner perspectives. Information and Computer Security, 32(1), 53–73. doi.org/10.1108/ICS-08-2022-0133
  3. Bada, M., Sasse, A. M., and Nurse, J. R. C. (2015). Cyber Security Awareness Campaigns: Why do they fail to change behaviour? International Conference on Cyber Security for Sustainable Society. arxiv.org/abs/1901.02672
  4. Cram, W. A., D'Arcy, J., and Proudfoot, J. G. (2019). Seeing the Forest and the Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance. MIS Quarterly, 43(2), 525–554. doi.org/10.25300/MISQ/2019/15117
  5. European Union (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive), Article 20. eur-lex.europa.eu/eli/dir/2022/2555
  6. García de Blanes-Sebastián, M., et al. (2025). Factors influencing employee compliance with information security policies: a systematic literature review of behavioral and technological aspects in cybersecurity. Future Business Journal, 11, 28. doi.org/10.1186/s43093-025-00452-7
  7. Guhr, N., Lebek, B., and Breitner, M. H. (2019). The impact of leadership on employees' intended information security behaviour: An examination of the full-range leadership theory. Information Systems Journal, 29(2), 340–362. doi.org/10.1111/isj.12202
  8. Hu, Q., Dinev, T., Hart, P., and Cooke, D. (2012). Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture. Decision Sciences, 43(4), 615–660. doi.org/10.1111/j.1540-5915.2012.00361.x
  9. Khando, K., Gao, S., Islam, S. M., and Salman, A. (2021). Enhancing employees information security awareness in private and public organisations: A systematic literature review. Computers & Security, 106, 102267. doi.org/10.1016/j.cose.2021.102267
  10. Michie, S., van Stralen, M. M., and West, R. (2011). The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implementation Science, 6:42. doi.org/10.1186/1748-5908-6-42
  11. Proudfoot, J. G., Cram, W. A., Madnick, S., and Coden, M. (2023). The Importance of Board Member Actions for Cybersecurity Governance and Risk Management. MIS Quarterly Executive, 22(4), 235–250. aisel.aisnet.org/misqe/vol22/iss4/6
  12. Prümmer, J., van Steen, T., and van den Berg, B. (2024). Assessing the effect of cybersecurity training on end-users: A meta-analysis. Computers & Security, 150, 104206. doi.org/10.1016/j.cose.2024.104206
  13. Uchendu, B., Nurse, J. R. C., Bada, M., and Furnell, S. (2021). Developing a cyber security culture: Current practices and future needs. Computers & Security, 109, 102387. arxiv.org/abs/2106.14701
Next step

Use this article as the foundation and then see how 2LRN4 turns this topic into audience segmentation, training and reporting.

Book demo Download guide More articles