2LRN4 security awareness platform
← Back to knowledge base

The visibility trap

Why visibility, meaning posters, mailings and intranet campaigns, is not the same as an awareness programme, and why more of the same actually undermines attention.

Recently updated

From insight to action

See how to turn this topic into a practical awareness program with training, phishing simulations and clear management reporting.

Book demo View the primary solution page
Alain Rees
Founder & Security Awareness Specialist · 2LRN4

In brief

  1. Visibility is not a programme. Posters, mailings and intranet campaigns are awareness activities, so one layer of a programme. A programme is a continuous, managed cycle that steers behaviour and culture, and not a collection of separate messages (NIST SP 800-50r1).
  2. Communicating often does not change behaviour. Spreading information mainly raises knowledge. Whether that is also converted into behaviour depends on motivation and on the opportunity to do the right thing. Campaigns that only inform change little (Bada, Sasse and Nurse, 2015; Michie, van Stralen and West, 2011).
  3. Too much of the same backfires. Through habituation, attention drops as early as the second exposure, and through message fatigue people start to ignore the message or even resist it. Attention and cooperation are a finite supply that you have to spend wisely (Anderson et al., 2015; So, Kim and Cohen, 2017; Beautement, Sasse and Wonham, 2008).

Many organisations feel that their awareness is in order. There are posters by the coffee machine, a mailing goes out every month, and the intranet carries a campaign with practical advice. The reasoning behind this is obvious. After all, a great deal is communicated about safe behaviour, and from there it is a short step to the thought that an awareness programme is in place. Equating visibility with a programme is understandable, but it is not correct.

This report examines two questions that lie beneath it. The first is whether a communication campaign is something fundamentally different from a behaviour programme. The second is when communicating loses its effect, that is, at what point more messages no longer help and even start to backfire. It sets out what the scientific research shows about this, and which approach follows from it.

For both questions it is important first to be clear about what we mean by a programme in this report. A programme is not a series of separate messages, but a continuous and managed whole that is aimed at behaviour. It establishes in advance which behaviour it wants to achieve, chooses suitable means to match, including training, exercises and communication, then measures whether that behaviour actually changes, and adjusts on the basis of that measurement. In other words, it is a cycle that sustains itself and is aimed at a goal. A campaign, by contrast, stands as a single or recurring message in its own right, and it can be a valuable part of a programme without ever coinciding with it.

About this report

Type
Literature review based on peer-reviewed research and authoritative standards.
Sources
Neuroscientific and field studies, communication science, behavioural science and the NIST guideline for learning programmes.
As of
June 2026.

01 · FindingVisibility is a layer, not a programme

The difference between communicating and a programme is not a play on words, but is set out in the guideline that the field uses for this. In its revised guideline, the US standards organisation NIST distinguishes three levels of learning: awareness, training and education (NIST SP 800-50r1, 2024). Awareness focuses people's attention on a topic, training teaches them a skill with which they can perform a task, and education is the in-depth, often career-oriented form. Posters, mailings and intranet campaigns almost all fall under the first level. They ask for attention, but they do not teach a skill and they do not on their own steer behaviour.

More important still is what the guideline understands by a programme. The 2024 revision describes a learning programme not as a series of messages, but as a managed cycle with a life cycle: you set goals, you align the content with roles and target groups, you measure the effect, and you adjust. Awareness campaigns are one of the building blocks within that cycle, alongside role-based training, exercises and targeted interventions. Equating a campaign with a programme is therefore a category mistake, because you confuse one layer with the whole.

Behavioural science makes the same distinction along a different route. The widely used Behaviour Change Wheel, which we also apply in The participation paradox, distinguishes nine types of intervention with which you can influence behaviour, and education is only one of them (Michie, van Stralen and West, 2011). Communicating mainly affects people's knowledge. It largely leaves untouched the other levers that behaviour hangs on, such as motivation and the practical opportunity. Whoever only communicates therefore operates one lever and leaves the other eight unused.

Communication is the awareness level

The three levels of learning according to NIST SP 800-50r1

Awareness posters · mailings · intranet campaigns Training role-based · skills Education more depth broader reach

Figure 1 Communication belongs to the broad bottom level, which focuses attention on a topic. A programme spans all three levels within a managed cycle. After NIST SP 800-50r1 (2024).

02 · FindingCommunicating often does not change behaviour

That campaigns do not always change behaviour is not a new insight. In a much-cited study, Bada, Sasse and Nurse analysed why awareness campaigns so often fail to change behaviour (Bada, Sasse and Nurse, 2015). Their conclusion was clear. Knowledge and awareness are a necessary condition, but on their own not enough. To change behaviour, people must be able to understand and apply the advice, and they must in addition be willing to do so. That willingness calls for a change in attitude and intention, and that does not arise automatically by spreading more information.

This is the well-known gap between knowing and doing. People know that they should use a strong password, that they should not just click on a link, and that they should store data properly, but behaviour does not automatically follow knowing. The Behaviour Change Wheel explains why this is so. Safe behaviour only arises when the knowledge and skill, the motivation and the opportunity to do the right thing come together (Michie, van Stralen and West, 2011). A campaign that only gives information fills, at most, the first box. Motivation and opportunity then remain untouched, and it is precisely there that behaviour often goes wrong.

Changing behaviour requires more than giving information about risks and desired behaviour. People must be able to apply that advice, and they must also be willing to do so.

After Bada, Sasse and Nurse (2015)

03 · ExplanationWhen communicating starts to backfire

The second question is when communicating not only yields little, but starts to backfire outright. The research points to two mechanisms that together explain why more of the same undermines attention: habituation and message fatigue.

The first mechanism is habituation, and that runs deeper than a question of motivation. In a series of brain studies, Anderson and colleagues used functional MRI to map how the brain responds to repeated security warnings (Anderson et al., 2015). Activity in the visual processing areas dropped sharply as early as the second exposure, and fell further with each subsequent repetition. A follow-up study in practice confirmed that picture. In a three-week field experiment, the degree to which people heeded warnings clearly declined the more often they came by (Vance et al., 2018). The message that always has the same form is registered less and less, even in the brain. What stands out is that warnings that kept changing form resisted this effect far better. Variation holds attention, whereas repeating exactly the same thing makes attention slacken.

Attention slackens with repetition of the same thing

Response to a warning by the number of exposures

high low attention / response 1st 2nd 3rd 4th 5th exposure varying form identical form

Figure 2 A conceptual representation. With repetition of exactly the same message, the response drops sharply as early as the second exposure. A message that keeps changing form holds attention better. After Anderson et al. (2015) and Vance et al. (2018).

The second mechanism is message fatigue, a concept from communication science. So, Kim and Cohen mapped how people respond when they are exposed for a long time to messages about the same topic (So, Kim and Cohen, 2017). What is involved is a state of exhaustion that arises from excess, repetition and monotony, and that leads people to start ignoring the message. Follow-up research showed that message fatigue undermines persuasiveness along two routes: through active resistance, where people start to resist the message, and through passive disengagement, where they simply no longer pay attention (Kim and So, 2018). What is worrying is that excess not only removes the effect, but can even make the desired action less likely than if nothing had been communicated. Comparable effects have been described in communication about climate and health, where too much of the same message actually lowered the willingness to take part.

In the security context this has acquired a name of its own. Researchers at NIST came across what they call security fatigue in interviews, a tiredness and unwillingness to engage with security any further (Stanton et al., 2016). People felt bombarded with warnings along the lines of watch out for this and watch out for that, and responded with resignation, a sense of loss of control, the trivialising of risks and the avoidance of decisions. The researchers therefore recommend keeping the number of security decisions you ask of people as small as possible.

These mechanisms come together in a sober economic idea, the compliance budget. Beautement, Sasse and Wonham showed that people follow security rules only up to a point, after which their willingness declines (Beautement, Sasse and Wonham, 2008). There is, in other words, a finite amount of attention and cooperation available, and above that limit every extra demand becomes harmful rather than useful. Every poster and every mailing costs something of that budget. Whoever keeps sending without counting those costs runs out of supply and has nothing left for the moment when it really matters.

Communicating more helps, until it backfires

Effect on behaviour by the amount of communication

effect on behaviour amount of communication optimum visibility pays off habituation · fatigue · resistance

Figure 3 A conceptual representation. Up to a certain point, communicating increases the effect on behaviour. Beyond that point, habituation, message fatigue and resistance take over, and the effect declines again. After So, Kim and Cohen (2017), Stanton et al. (2016) and Beautement, Sasse and Wonham (2008).

04 · ApproachFrom campaign to programme

If communicating is one lever and not a programme, and if more of the same starts to backfire at some point, then a different way of working follows from that. The core is to treat communication as a part of a programme that steers behaviour, and not as the programme itself.

  1. Treat communication as one lever within a managed cycle.Give the programme a life cycle instead of an agenda of separate messages: set goals, align the content with roles and target groups, measure the effect and adjust (NIST SP 800-50r1, 2024). A campaign is then an instrument within that cycle, and not its conclusion.
  2. Design for behaviour instead of for visibility.For every intervention, ask which part of behaviour you are influencing. A single message affects knowledge at most, whereas behaviour also requires motivation and opportunity (Michie, van Stralen and West, 2011). So make sure that the safe behaviour is not only known, but also attractive and easy to do.
  3. Vary the form to counter habituation.Do not repeat the same poster or mailing endlessly, because that is exactly what makes attention slacken. Vary form, channel and angle, so that the message is noticed afresh each time (Anderson et al., 2015; Vance et al., 2018).
  4. Respect the attention and compliance budget.Opt for fewer but more targeted and well-timed messages, and limit the number of decisions you ask of people (Stanton et al., 2016; Beautement, Sasse and Wonham, 2008). Every unnecessary message costs part of a supply that you do better to save for the moment that it matters.
  5. Measure behaviour and effect instead of the number of messages.Do not count how many posters were up or how many mailings went out, but look at what people actually do, such as reporting suspicious messages. That such a skill, recognising phishing, does not improve by itself from exposure alone, we set out in The Attention Problem. Under the NIS2 directive, the duty of care for resilient behaviour is moreover a responsibility of the management body, and getting that leadership on board is a task in its own right, as we showed in The Buy-in Problem. That responsibility is easier to substantiate with behavioural figures than with a tally of outputs.

And the campaign itself?

Communication is not pointless, quite the opposite. Visibility is needed to put a topic on the map, to set the tone and to remind people that safe behaviour matters. The criticism in this report applies to one way of working, namely the campaign that is regarded as the whole programme, that endlessly repeats the same thing, and that is judged on the number of messages instead of on the behaviour that follows from it. When you deploy communication differently, that is, as a deliberate lever within a programme designed for behaviour, it remains a valuable and indispensable instrument.

05 · ConclusionVisibility is a start, not a programme

A communication campaign is something fundamentally different from a behaviour programme. Visibility focuses attention, but it does not teach a skill and it does not on its own steer behaviour. A programme combines that visibility with training, with attention to motivation and opportunity, with measurement and with adjustment, and it does so as a managed cycle instead of as a series of separate messages. Whoever equates the two confuses a layer with the whole.

And communicating loses its effect as soon as repetition makes attention slacken and fatigue takes over. Through habituation the response drops as early as the second exposure, through message fatigue repetition can even backfire, and the attention and compliance budget is simply finite. The right question is therefore not whether a great deal has been communicated, but whether behaviour and culture have been durably changed. Visibility is a start in this, and not a programme.

Limitations

  • This report is a literature review that summarises existing scientific research, and contains no new research of its own.
  • Part of the evidence on habituation was measured on security warnings on a screen. The translation to posters, mailings and intranet campaigns rests on the underlying mechanism and not on a direct measurement in those channels.
  • The research on message fatigue comes largely from communication about health and climate. The mechanisms are broadly confirmed, but the precise threshold values may differ by context and audience.

Sources

  1. Anderson, B. B., Kirwan, C. B., Jenkins, J. L., Eargle, D., Howard, S., and Vance, A. (2015). How Polymorphic Warnings Reduce Habituation in the Brain: Insights from an fMRI Study. Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15), 2883–2892. doi.org/10.1145/2702123.2702322
  2. Bada, M., Sasse, A. M., and Nurse, J. R. C. (2015). Cyber Security Awareness Campaigns: Why do they fail to change behaviour? International Conference on Cyber Security for Sustainable Society. arxiv.org/abs/1901.02672
  3. Beautement, A., Sasse, M. A., and Wonham, M. (2008). The Compliance Budget: Managing Security Behaviour in Organisations. Proceedings of the 2008 New Security Paradigms Workshop (NSPW '08), 47–58. doi.org/10.1145/1595676.1595684
  4. Kim, S., and So, J. (2018). How Message Fatigue toward Health Messages Leads to Ineffective Persuasive Outcomes: Examining the Mediating Roles of Reactance and Inattention. Journal of Health Communication, 23(1), 109–116. doi.org/10.1080/10810730.2017.1414900
  5. Michie, S., van Stralen, M. M., and West, R. (2011). The behaviour change wheel: A new method for characterising and designing behaviour change interventions. Implementation Science, 6, 42. doi.org/10.1186/1748-5908-6-42
  6. National Institute of Standards and Technology (2024). Building a Cybersecurity and Privacy Learning Program. NIST Special Publication 800-50r1. doi.org/10.6028/NIST.SP.800-50r1
  7. So, J., Kim, S., and Cohen, H. (2017). Message fatigue: Conceptual definition, operationalization, and correlates. Communication Monographs, 84(1), 5–29. doi.org/10.1080/03637751.2016.1250429
  8. Stanton, B., Theofanos, M. F., Prettyman, S. S., and Furman, S. (2016). Security Fatigue. IT Professional, 18(5), 26–32. doi.org/10.1109/MITP.2016.84
  9. Vance, A., Jenkins, J. L., Anderson, B. B., Bjornn, D. K., and Kirwan, C. B. (2018). Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments. MIS Quarterly, 42(2), 355–380. doi.org/10.25300/MISQ/2018/14124
Next step

Use this article as the foundation and then see how 2LRN4 turns this topic into audience segmentation, training and reporting.

Book demo Download guide More articles