2LRN4 security awareness platform
← Back to knowledge base

The participation paradox

Why mandatory security and privacy training raises participation but does not change behaviour on its own, and what approach the science shows actually works.

Recently updated

From insight to action

See how to turn this topic into a practical awareness program with training, phishing simulations and clear management reporting.

Book demo View the primary solution page
Alain Rees
Founder & Security Awareness Specialist · 2LRN4

In brief

  1. A mandate reliably increases the number of employees who complete the training, but the completion rate is a measure of activity rather than of outcome. The win that organisations celebrate, a completion rate of close to one hundred per cent, is not the win they are after, namely safer behaviour.
  2. Making it voluntary is not an alternative. Without a mandate, participation stays so low that there is little to change. The opposition between having to and wanting to is therefore a false one: the mandate delivers the necessary reach, but it does not do the actual work.
  3. Whether mandated participation translates into behaviour depends on the type of motivation the mandate evokes. That type is determined by how the training is designed, not by the mandate itself. A mandate that supports an employee's autonomy, competence and relatedness moves towards genuine choice, whereas a purely controlling mandate breeds resistance, fatigue and the explaining away of rules.

About this report

Type
Literature review based on peer-reviewed research and authoritative standards.
Sources
A meta-analysis of 69 studies, large-scale field studies, and empirical work from behavioural science and information security, including self-determination theory, reactance theory, and research into security fatigue and neutralization.
As of
June 2026.

01 · FindingParticipation rises, the outcome does not follow

A mandate is an effective way to get the numbers in order. Anyone who makes the annual e-learning compulsory and pairs it with a reminder and a completion deadline will almost always see the completion rate creep towards one hundred per cent. The awkward part is simply that this completion rate measures something other than what the programme is meant to achieve. Completion shows that the training has taken place, not that the employee's behaviour has changed. It is a measure of activity, while the programme is pursuing an outcome.

That distinction is not a matter of semantics, because it is borne out by the figures. The meta-analysis of 69 studies by Leiden University shows that training has a large effect on employees' knowledge and attitude, but that the average effect on actual behaviour is small (Prümmer, van Steen and van den Berg, 2024). An employee can therefore work all the way through the module, pass the quiz and demonstrably know more, without their behaviour changing at the decisive moment. The completion is real, the behaviour change fails to materialise. It is precisely into that gap that the organisation falls when it reports one hundred per cent completion and infers from this that the programme works.

This gap between knowing and doing is not a quirk of security awareness, but a well-established finding from behavioural science. The Behaviour Change Wheel makes clear that knowledge is a precondition for behaviour, but is not enough on its own. Alongside the ability to act, the motivation to do the right thing and the opportunity to do so are also needed (Michie, van Stralen and West, 2011). A mandate mainly addresses the first condition, the transfer of knowledge, and leaves motivation and opportunity largely untouched. That alone explains why participation can rise while the outcome stands still.

Large effect on knowledge, small effect on behaviour

Effect size (Cohen's d) of security awareness training

Figure 1 A large effect on knowledge and attitude against a small average effect on behaviour. The completion rate approximates the left-hand bar, while the programme is pursuing the right-hand bar. Source: Prümmer, van Steen and van den Berg (2024). Cohen's d is a standardised measure of the strength of an effect, where roughly 0.2 is small, 0.5 medium and 0.8 large.

02 · FindingWhy making it voluntary is no way out

The obvious response to the above is to drop the compulsion and rely on voluntary participation, on the assumption that those who take part of their own accord also learn with more motivation. The problem is that this reasoning runs aground on a simple fact: without a mandate, almost no one takes part. Large-scale field research found that voluntary, non-mandatory training reached too few employees to have a measurable effect (Lain, Kostiainen and Čapkun, 2022). What no one does cannot change anyone's behaviour.

This casts the opposition between having to and wanting to in a different light. It is a false opposition. Voluntary participation reaches too few people to shift anything, whereas a mandate delivers precisely the reach needed to work on behaviour change at all. In that sense the mandate is not an evil to be avoided, but a floor that you need. The real problem lies not in whether you make participation compulsory, but in the unspoken assumption that often sits behind it, namely that the mandate does the work. Once participation has been enforced, the organisation regards the task as accomplished, while in fact the real work is only just beginning.

The right question is therefore not whether the training should be mandatory, but what a mandate does to an employee's motivation, and under what conditions enforced participation translates into different behaviour.

03 · ExplanationWhat a mandate does to motivation

To understand why one mandatory training sticks and another does not, the self-determination theory of Deci and Ryan is a useful framework (Ryan and Deci, 2000). That theory distinguishes motivation not simply into much or little, but into kinds. At one end is behaviour that is entirely enforced from the outside, for instance because a penalty would otherwise follow. At the other end is behaviour that the employee experiences as their own choice, because it aligns with what they consider important. Between the two lies a gradual transition that the theory calls internalisation: the process in which something that was initially imposed slowly comes to feel like the employee's own.

The theory identifies three psychological needs that fuel this internalisation. The first is autonomy, the sense that you act of your own free will rather than having something forced upon you. The second is competence, the sense that you are capable and that your effort leads somewhere. The third is relatedness, the sense of being part of a larger whole in which the behaviour has meaning. Research into security policy compliance confirms that these three needs positively influence the intention to comply, and that employees follow policy most durably when they experience it as their own choice (Alzahrani and Johnson, 2019).

This is also where it becomes apparent why compulsion is a double-edged sword. A mandate can actually undermine an employee's autonomy, and then the mechanism that psychology calls reactance comes into play: a perceived restriction of one's own freedom provokes resistance, and that resistance turns against precisely the behaviour that was imposed (Wall, Palvia and Lowry, 2013). The employee does complete the module, because they have to, but the type of motivation underneath it remains wholly external. As soon as the pressure falls away, the behaviour falls back too. That is the heart of the paradox: the mandate buys participation, but the type of motivation it evokes determines whether anything remains once the credits have rolled.

The motivation continuum: from imposed to genuine choice

After self-determination theory (Ryan and Deci, 2000)

Figure 2 The continuum of motivation, from wholly imposed behaviour to behaviour that the employee experiences as their own choice. A mandate places the employee on the left-hand side, and only a design that supports the three psychological needs moves them to the right. After Ryan and Deci (2000).

04 · ExplanationThe side effects of a purely controlling approach

When a mandate is set up purely as a means of control, that is, as a list of modules to be ticked off with a penalty at the end, side effects arise that undermine the programme. The first is security fatigue. Researchers at the US standards body NIST described how employees, overloaded with security demands, develop a sense of resignation and loss of control, leading them to avoid decisions and to disregard advice (Stanton, Theofanos, Prettyman and Furman, 2016). A mandate that demands the same thing of everyone year after year feeds precisely that fatigue rather than vigilance.

The second side effect is subtler and is called neutralization. This is the phenomenon in which someone justifies a violation to themselves before committing it, for instance with the thought that just this once can do no harm or that the rule was not really meant for this situation (Sykes and Matza, 1957). In information security, neutralization has proven to be an important predictor of the deliberate violation of security policy (Moody, Siponen and Pahnila, 2018). Its connection with compulsion and fatigue is direct, because research shows that the likelihood of such explaining away increases as security-related stress and exhaustion rise (D'Arcy and Teh, 2019). A programme that leans mainly on pressure and repetition therefore produces not only fatigue, but also hands the employee the mental room to circumvent the rules after all.

An important nuance is in order here, because the evidence on compulsion and penalties is mixed and far from clear-cut. Some research finds that a perceived threat of punishment actually raises the intention to comply, while other research finds no relationship or even a counterproductive one. A leading analysis of the deterrence literature accordingly concludes that the results contradict one another and depend heavily on context (D'Arcy and Herath, 2011). The right conclusion is therefore not that compulsion is always counterproductive, but that the motivation compulsion evokes is fragile, and that a purely controlling set-up has side effects that undermine the intended behaviour change.

A commonly heard idea deserves a separate note here. The notion that employees, having completed their mandatory module, believe themselves vaccinated and therefore become less alert is appealing and not implausible, but as yet it lacks firm grounding in security research. It rests on the broader psychological phenomenon of moral licensing, which has not yet been firmly demonstrated in this specific context. We therefore include it as a hypothesis and not as a finding, and the well-supported mechanisms of security fatigue and neutralization carry the argument on this point well enough.

05 · ApproachDesigning a mandate so that participation becomes behaviour

If the mandate provides the floor and the design makes the difference, then the task lies with that design. The research points to a number of choices that help enforced participation tip over into motivation that the employee experiences as their own choice.

  1. Explain why, not just what.A mandate that merely prescribes what must be done does not support autonomy. An explanation that makes clear why the behaviour matters, precisely for this employee and this organisation, helps the external rule to internalise into a genuine conviction (Ryan and Deci, 2000).
  2. Give choice where you can.The mandate concerns the fact of participation, but leaves room in the how and the when. Some say over the timing, the pace or the order restores part of the autonomy without putting reach at risk.
  3. Make it relevant per role.A single mandatory module for the whole organisation ignores the fact that the risks and the context differ from one role to another. Content that fits the day-to-day work strengthens both the sense of competence and the perceived relevance, and with it the motivation to apply what has been learned.
  4. Build competence rather than knowledge alone.Short, repeated and practice-oriented exercises work better than one long annual module, because they give the sense that you are capable and keep the material alive without exhausting the employee.
  5. Steer on behaviour, not on completion.As long as the organisation takes the completion rate as its yardstick, it is optimising for the wrong outcome. Measures that approximate actual behaviour, such as reporting suspicious messages or handling data correctly, keep sight of what the programme is really aiming for.

The common thread running through these choices is that the mandate is used to get people in, and the design to move them. A programme that leans only on the mandate leaves motivation external and therefore fleeting. A programme that supports the three psychological needs gives enforced participation a chance to grow into behaviour that holds up even when no one is watching any more.

06 · ConclusionThe mandate determines participation, the design determines change

The participation paradox can be summed up briefly. A mandate reliably increases participation, but participation is not the goal. The goal is different behaviour, and that does not follow automatically from completing a module. Making it voluntary is no way out, because it reaches too few people to change anything. The mandate therefore determines who is in the room, while the design of the training determines whether anything changes.

The opposition between having to and wanting to is thus false. It is not a matter of having to or wanting to, but of having to and wanting to, joined by the process of internalisation. A mandate that supports an employee's autonomy, competence and relatedness uses compulsion as a starting point and not as an end point, and gives imposed participation a chance to become genuine choice. A mandate that merely controls produces attendance with fatigue and explaining away as side effects. The win does not lie in a higher completion rate, but in the question of whether that completion translates into behaviour, and that is not a matter of mandating more strictly, but of designing better.

Limitations

  • This report is a literature review that summarises existing scientific research, and contains no new research of its own.
  • The studies cited were carried out in a variety of organisations and contexts, so the effects may differ from one environment to another.
  • The evidence on how compulsion and penalties work is mixed, and this report summarises that spread rather than resolving it.
  • The so-called vaccination effect is included in this report as a hypothesis and not as a finding, because direct grounding in security research is as yet lacking.

Sources

  1. Alzahrani, A., and Johnson, C. (2019). AHP-based Security Decision Making: How Intention and Intrinsic Motivation Affect Policy Compliance. International Journal of Advanced Computer Science and Applications, 10(6). dx.doi.org/10.14569/IJACSA.2019.0100601
  2. D'Arcy, J., and Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. European Journal of Information Systems, 20(6), 643–658. doi.org/10.1057/ejis.2011.23
  3. D'Arcy, J., and Teh, P. L. (2019). Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization. Information & Management, 56(7), 103151. doi.org/10.1016/j.im.2019.02.006
  4. Lain, D., Kostiainen, K., and Čapkun, S. (2022). Phishing in Organizations: Findings from a Large-Scale and Long-Term Study. IEEE Symposium on Security and Privacy, 842–859. arxiv.org/abs/2112.07498
  5. Michie, S., van Stralen, M. M., and West, R. (2011). The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implementation Science, 6:42. doi.org/10.1186/1748-5908-6-42
  6. Moody, G. D., Siponen, M., and Pahnila, S. (2018). Toward a unified model of information security policy compliance. MIS Quarterly, 42(1), 285–311. doi.org/10.25300/MISQ/2018/13853
  7. Prümmer, J., van Steen, T., and van den Berg, B. (2024). Assessing the effect of cybersecurity training on end-users: A meta-analysis. Computers & Security, 150, 104206. doi.org/10.1016/j.cose.2024.104206
  8. Ryan, R. M., and Deci, E. L. (2000). Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. American Psychologist, 55(1), 68–78. doi.org/10.1037/0003-066X.55.1.68
  9. Stanton, B., Theofanos, M. F., Prettyman, S. S., and Furman, S. (2016). Security Fatigue. IT Professional, 18(5), 26–32. doi.org/10.1109/MITP.2016.84
  10. Sykes, G. M., and Matza, D. (1957). Techniques of Neutralization: A Theory of Delinquency. American Sociological Review, 22(6), 664–670. doi.org/10.2307/2089195
  11. Wall, J. D., Palvia, P., and Lowry, P. B. (2013). Control-Related Motivations and Information Security Policy Compliance: The Role of Autonomy and Efficacy. Journal of Information Privacy & Security, 9(4), 52–79. doi.org/10.1080/15536548.2013.10845690
Next step

Use this article as the foundation and then see how 2LRN4 turns this topic into audience segmentation, training and reporting.

Book demo Download guide More articles