Can BS make SA&T stick? Hot takes from the experts…

Using insights from “Oh, Behave!” to strengthen security training and drive lasting behavioral change

Security training. It’s as commonplace in an organization as writing “see attached” and forgetting to attach anything.

It can help to tackle cybersecurity risks—but only when done well.

Simply giving people information doesn’t guarantee a change in behavior. And the data in the latest “Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors Report” backs this up, with stats suggesting SA&T may not effectively engage employees or translate into improved security behaviors. 

“Oh, Behave!” is based on the global study of over 7,000 participants, and it highlights the complex, often surprising (and let’s face it sometimes wholly baffling) nuances of human behavior.

The findings are as broad as they are fascinating. But we know the real question here is:

“How do we take those insights and apply them practically to SA&T programs?”

To arrive at the most useful answers, we hosted a webinar featuring a panel of indisputably impressive industry-leading experts.

Seriously, check out this lot:

Ruth Lees

Security Awareness and Skills Consultant, M&G plc

Together, they rolled up their sleeves and dove deep into the findings. What they served up was a delectable platter of actionable ideas sure to help your organization make impact with its security program.

You should 100% watch the webinar, but if you’re in a rush right now, we’ve got the highlights for you right here.

Like The Godfather movies, this blog is an unmissable three-parter (no horses were harmed during the making):

AI & SA&T: Putting stabilizers on the shiny new toy

“I think what we’re seeing is with any new technology—whether it’s AI, or whatever comes afterwards—there’s this kind of natural limbo state” — Ruth Lees

AI’s come a loooong way since it was a playful twinkle in Silicon Valley’s eye. 

It’s shiny. It’s new. And boy, is it complicating security efforts.

There’s much to say about what AI means for security, and for security practitioners. (By the way, our AI opportunities and challenges blog covers a lot of this complicated ground swiftly if you’re looking for a primer.)

In essence, as much as AI can revolutionize threat detection and streamline operations, it also brings along serious risks. But if you’re here, you already know that much. So, what else?

Our research for the 2024/25 “Oh Behave!” report revealed that a whopping 52% of employees reported having no training on how to use AI safely, and 38% are sharing sensitive organizational data with AI without their employer’s knowledge. 

These stats leave us in no doubt about the pressing need for organizations to address the safe use of AI—fast.

Ruth Lees (Security Awareness and Skills Consultant for M&G) kicked off the AI conversation. She highlighted the inevitable teething issues when adopting new technologies like AI:

“I think what we’re seeing is with any new technology—whether it’s AI, or whatever comes afterwards—there’s this kind of natural limbo state where companies want to embrace it. You have early adopters who are using it, maybe incorrectly, and there’s this kind of catch-up period for awareness—you’re waiting for the direction from regulations and legislations to guide you, for you to then build up your guardrails around it.”

So, currently, AI adoption is growing, but without the necessary safeguards it can quickly become a breeding ground for cybercriminals. 

That’s not to say simply trying to put the brakes on AI is the answer though. Marielle Ehrmann (ESVP, Chief Security Compliance & Risk Officer at SAP SE) emphasized the importance of embracing AI while managing its risks, and how they achieve this balance at SAP:

“AI of course is a top concern for us, but it’s also a great opportunity, and this is also why we don’t—and we can’t—stop the use of tools such as ChatGPT, nor do we want to—I want to be very clear with that.

But we need to give our employees freedom within borders, guidelines for safe usage of AI, and in fact we encourage them to use ChatGPT, and we have made available our own safe environment within the SAP landscape for our colleagues to use, so that we really can make sure we’re aligning with data protection to make it easy for people to stay compliant.”

“AI is a top concern for us, but it’s also a great opportunity…We don’t—and we can’t—stop the use of tools such as ChatGPT, nor do we want to.” — Marielle Ehrmann

The message is clear: don’t fear AI—embrace it, with safety measures. The answer isn’t to never get on a bike, but to learn in a way that reduces harm. Stabilizers on. 

Lisa Plaggemeir (Executive Director for the National Security Alliance) was keen to share her perspective around messaging. How we speak about new technologies matters. What works best is an empowering approach, as opposed to a panic-inducing one:

“Crying wolf or feeling like the sky is falling, or being too negative in your messaging is going to immediately turn some people off and they’re not even going to read the rest of your article or watch the rest of your video. A positive message that empowers people to use it securely is a whole lot better.”

But there was something else that struck Lisa when she was prepping for the dozens of talks she gave to organizations during Cybersecurity Awareness Month in October: “One of the topics that came up in our prep calls was ‘Do you have an AI policy so that we can reference that in our talk?’”

She was surprised by the number of organizations that have yet to produce a policy: “I understand that writing policies is really complicated, there are a lot of people involved, but I would encourage folks not to let perfection be the enemy of the good here, and to do something quickly rather than to do nothing at all.”

To cut to the chase: Don’t ban AI in your organization. Equip your people with the right tools and training to use it safely, and make sure they know you’ve got their back. That’s how we keep security at the forefront while embracing the shiny stuff.

Discussing the disconnect

“Knowledge does not directly translate into actual behaviors.” — Ruth Lees

Ah, the age-old misconception about human behavior: “I know better, so I’ll do better.” Except, nope, it’s never that simple. People often don’t do what they know they should do.

Knowledge does not directly translate into actual behaviors. We know this. We’ve seen it in action. Yet it still stings—and still takes many of us by surprise.

“Oh, Behave!” data hits us with a hard truth: 23% of people don’t complete security training because they think they already know enough.

Meanwhile, 35% of people still use personal information in their passwords, despite being told repeatedly to avoid doing so. 

Welcome to the huge disconnect between knowledge and behavior.

It’s easy to focus on knowledge delivery. On a fancy slideshow. On putting ALL the information out there. But getting people to translate that knowledge into habit is where the challenge lies.

What’s so often missing from the equation is an environment that makes good security habits easy.

Marielle gave a perfect illustration of how this is done at SAP: 

“The topic of passwords continues to be a focus area for us, not only because people include personal information in their passwords, but also because of how they store their passwords. We make password managers available across the organization so that everyone in the organization can use them, but even more importantly what we’ve implemented across SAP is single sign on, so there’s actually no need to log in with different passwords for each application that we use. However, we still encourage the usage of password managers for any application that goes beyond the usage of single sign on.”

Marielle pointed out a reason to be cheerful: “The [Oh, Behave!] survey shows clearly in which areas we have work to do, but it also shows the significance of training, because the numbers of those who have reported using multi factor authentication have increased year over year…so we agree with the survey conclusion: the data highlights a clear need for more effective strategies to improve password practices and the increase of MFA usage.”

And let’s talk about those stubborn password myths, and the die-hard habits that go with them. For Lisa, the struggle is beyond real:

“There are individuals I will talk to who will keep a [password] spreadsheet on their laptop that’s password protected. They’ll even go to the trouble of trying to figure out how to encrypt them, and they feel like that’s safer than a password manager. I have to gently explain that there’s a lot more protection going into protecting your passwords at a password manager company than you can possibly do—especially if you get a malware infection on that laptop.”

As the age-old saying goes, you can lead a horse to water…but getting said horse to use a password manager is a whole other matter. And even with access to tools like password managers and single sign-on systems, many people still don’t use them properly. The real challenge is removing friction and making security practices feel easy and accessible, rather than relying on knowledge alone.

It boils down to: Don’t just tell people what to do. Make it easy for them to do it. Security is strongest when it’s personal, simple, and accessible.

Pulling the plug on security fatigue

The third major barrier to success in SA&T? Security fatigue. We’ve all been there: bombarded with constant alerts, reminders, and training modules.

Eventually, people burn out, disengage, maybe start minimizing their online actions. In fact, 46% of people reported that staying safe online was frustrating, and 44% said it was intimidating.

Lisa believes it could be one surefire recipe for disengagement that’s to blame:

“There’s debate about whether or not fear is a good motivator. I personally don’t like it as a motivator because if you tell people “You need to do this thing because otherwise something bad might happen to you”, number one, you’re selling an intangible, you’re trying to convince them that something they can’t feel or or or touch or see or taste might happen, and number two, there’s only a remote possibility it’ll happen.

And so you’re trying to convince somebody to change their behavior based on something that’s intangible and remote…and then you use fear to do that. That’s all really hard and really problematic, because you can only do that for so long. If the bad thing doesn’t happen to the person that you’re advising or trying to educate, they’re just going to disregard your messaging because in a sense you were wrong, nothing bad happened as a result of the bad habit.”

So, how does Lisa do it?

“I would rather use positivity. I’d rather talk about peace of mind and how easy and quick some of these things are to do. I can authenticate with a password manager and MFA especially using facial recognition with my phone and my password manager and things like that. I can authenticate faster than if I had to actually type in my username and my password by myself, so that’s incredibly quick and convenient and probably more secure than what you’re doing otherwise.

When I talk to people about their password notebooks, I said, ‘You know, that’s got to be a real pain, to have to type in that long, complex password from your password notebook every time. Wouldn’t you rather use a password manager and just let it populate it for you?’ That’s when people hear the convenience and the ease of use. If we can lean into that message of positivity—‘You’re going to feel better if you do these things’, ‘You won’t worry as much much’, ‘This isn’t that complicated’, ‘MFA is not hard’—I think those are better arguments than ‘This remote and intangible scary thing might happen to you.”

Meanwhile, Ruth nailed it with the importance of knowing your audience and tailoring your message:

“When I was reading through the stat it really made me wonder can we really ever know enough? 23% of people think they know enough, but actually the survey also shows clearly that across generations and regions this number can vary greatly. For me, this is a good indication that one training per year shouldn’t be seen as a one-size-fits-all activity across an organization.”

Marielle explained how SAP handles phishing awareness campaigns:

“It’s all about emotions and becoming resilient when it comes to cybersecurity topics—when it comes to phishing or hacker attacks. So we [SAP] clearly set the goal that we want to create phishing campaigns that really embrace people. We are not going for those ‘gotcha’ moments—this would only lead to the feeling of being exposed and feeling targeted, and this is not what we want.

The goal instead is to create those ‘Aha!’ moments…so in other words our goal is not just helping employees avoid a bad click, but instead that employees feel empowered to promptly report anything unusual or admit when they’ve made a mistake, and I think that’s the culture we all need to need to embrace.”

The tastiest takeaway here? Move away from fear-based messaging. Lead with solutions that make security feel manageable. When you empower people to take control of their security habits, you build a culture where security is second nature.