Recently, during a security event, I heard that several educational institutions had terminated their contract with their security awareness provider. The reason given: out of thousands of employees, only fifty participated in the training.
The conclusion followed quickly: “The content doesn’t resonate; let’s do it ourselves.” It is an understandable reaction, but also a misleading one. When less than one percent of employees participate, the issue is almost never the content itself. In practice, it is about communication, change management, culture, and engagement.
In this article, I explain why that is, what organizations often overlook, and how awareness can actually succeed.
When no one participates, content is rarely the problem
When fewer than one percent of an organization engages in awareness activities, this is not a content issue. Something much more fundamental is happening.
Anyone who has rolled out an awareness program knows that content is rarely the root cause of low participation. Of course, it helps when training is relatable, current, and easy to follow. But even the best videos and e-learning fail when employees perceive awareness as “an IT thing” or as something that does not truly matter.
In such cases, the challenge lies not in the training itself, but in how the organization communicates its importance.
Meaning, leadership, and rhythm are the real drivers of awareness
Behavior only changes when people understand why something matters. That understanding does not start with a course, but with meaning. If employees do not see how digital security relates to their own work, awareness remains abstract — something for later, when there is time. And there is rarely time.
Employees also instinctively sense whether a topic is supported by leadership. When executives do not explicitly state why awareness matters, or when managers do not encourage participation, awareness becomes optional. And optional initiatives rarely lead to change.
This is why organizations with strong management involvement almost always see higher participation rates — even when the content itself is basic.
Rhythm is equally important. Awareness works like any routine: through repetition. A single intranet message, weeks of silence, and then a mandatory training feels random. A predictable rhythm — for example, a short monthly theme — makes awareness normal and manageable. Employees know what to expect and why.
What is often forgotten is that awareness is, at its core, change management. It requires time, explanation, recognition, and patience. People need to place risks in their own context. Sometimes starting with examples from private life works better, because it lowers the threshold and creates recognition.
Awareness is culture change — and culture is built together
Creating your own content can be valuable, especially when it is organization- or sector-specific. But it does not solve the core problem when the foundations are missing. Content is not the engine; it is fuel. Without an engine, nothing moves.
The real question organizations should ask is not: “How do we create better content?” but: “How do we ensure employees understand why this matters and feel supported to participate?”
In organizations where awareness works, digital security is not confined to the IT department. Leaders refer to it in meetings. HR connects it to professional behavior. Communications ensure visibility. Ambassadors share experiences. Employees feel that security is not something they must do, but something that defines good work.
When that foundation is in place, participation follows naturally. At that point, the content provider matters far less — the organization itself ensures the program succeeds.
The situation at these educational institutions is therefore not proof of failing content. It is proof that awareness is more than training. It is culture. And culture does not change through new videos alone, but through meaning, communication, and leadership.
If we start there, participation will not be one percent, but eighty. And then the real success is not the content — but the organization itself.