"If you train on everything, nobody learns what really matters." Many organisations start their awareness programmes with good intentions: everyone must know more about privacy, security, phishing, data breaches, social engineering, passwords, ransomware, safe software, BYOD, cloud use. But when you make everything important at once, the programme loses its direction.
The real problem: everyone gets the same training
Awareness only works when it connects to the reality of employees. And that reality differs enormously per role. An HR adviser runs totally different risks than a researcher. A finance employee sees different kinds of messages than a teacher. A receptionist deals with different people than an IT administrator. Yet in many organisations they all get exactly the same training.
As soon as employees notice something is not meant for them, they disengage. "This does not apply to me", they think. Or: "This is about systems I never work in." And then something important happens: they do not learn worse because the content is bad, but because it does not feel relevant.
A solid risk analysis — who runs which risks, why, in which context — makes this difference visible. Only then can you segment: per role, per department, per risk group. Not generic awareness, but targeted attention. Not 20 topics, but the 3 that truly matter.
When you train on what matters most, something happens
As soon as awareness is based on a clear risk analysis, the whole programme changes. Employees get information that fits their work, their decisions and their daily risks. It feels logical. More relevant. Shorter, even. Because you no longer have to cover everything, only what matters.
A finance team learns how to recognise payment fraud. Teachers learn the risks around student data. Researchers learn about data classification and external collaborations. The training becomes meaningful. And meaningful behaviour does stick.
Segmentation is not a luxury, but a precondition. It prevents noise, reduces resistance and raises motivation. It makes awareness programmes smaller, sharper and more effective. You do not change behaviour by telling everyone the same thing, but by giving everyone what fits their work.
Related articles
FAQ
How do you do a risk analysis without a big consultancy project?
Start small: 5 audiences, 5 questions each ('which daily decisions do you make involving money or data?'). Two hours of work per audience, no formality needed.
How many audiences is workable?
4-7 audiences for an organisation of 500-2000 employees. More becomes a management nightmare. Fewer becomes generic.
What if an audience says 'we run no risk'?
Probe into concrete daily actions. Everyone who works with data or money runs risk, only the type differs.
How often do you update the risk analysis?
Annually. Plus after major incidents or strategic changes (acquisition, new IT platform, sector incident).