Maximizing security awareness engagement: How the pros do it

The top mic-drop insights from our Cybersecurity Awareness Month engagement webinar

We know people whose organizations make a big deal of CAM are much more likely to rate cybersecurity as important. However, you *might* have noticed that engaging people isn’t simple. 

With so many competing messages and tasks, how can you cut through the noise and make cybersecurity a top-of-mind issue?

That’s exactly why we hosted this webinar: Maximizing user engagement during Cybersecurity Awareness Month

The webinar was put on for CAM. But the lessons apply all year round.

What are the tactics that grab people’s attention, make an impression, and ultimately nurture the security culture and the security posture of your organization? Not just in theory, but actually stuff that works on the ground, tried and tested, not pie-in-the-sky.

We assembled a uniquely expert panel with diverse backgrounds and roles. We invited them to spill their victories, wisdom, and yes, mistakes…all so they could help you detangle the engagement enigma.

Dr Suzie Dobrontei

Behavioral Scientist, CybSafe

We know what you’re thinking: Any one of these people could deliver the whole wisdom-packed webinar on their own—and it could last a whole week. So when we tell you this sixty minutes is crammed with proven strategies and inspiration, we ain’t messin’.

And on top of all that, our behavioral science buffs at CybSafe have crafted not one, but two resources to maximize your SA&T efforts:

But enough preamble. Let’s dive into the discussion.

Ditch mandatory training, starting riiiight…now!

It’s mandatory because everyone needs to know this stuff.

Right, but … there’s something about mandatory training that ends up doing the opposite. It can harm people’s relationship with cybersecurity. Why is that, and how can we solve it?

Part of the “why” is psychological reactance. It’s the mechanism behind reverse psychology tactics. When people are told they must do something, they may feel their autonomy is threatened, leading them to resist, or even to rebel.

So telling people to be safe online can sometimes have the opposite effect. (Brains. As perplexing as they are fascinating, aren’t they?)

From mandatory to multi-faceted?

We can’t ignore the fact that no two brains are alike, as Nick points out: “In 2024 we know a lot more about the human mind than we have ever done, so what you do have also have to take into account is the number of neurodiverse people that we have in our audiences who need a different kind of tailored messaging.

In some cases—ADHD is a really good example—there is quite a lot of psychological reactance…we’re dealing with different people that need different kinds of engagement methods which ultimately can have a real impact on the kind of success we have with our campaigns.”

“We’re dealing with different people that need different kinds of engagement methods which ultimately can have a real impact on the kind of success we have with our campaigns.” – Nick

Jan van de Weerdhof agrees, having witnessed up close the benefits of ditching mandatory training: “When you start with a new company, you go to the mandatory training, the term ‘mandatory training’ is a switch-off point,” he says. “The brain thinks ‘I’m not going to do that. Absolutely not.’ We changed the name to non-mandatory training, and suddenly we have higher uptake.”

“The term ‘mandatory training’ is a switch-off point. The brain thinks ‘I’m not going to do that. Absolutely not.’” — Jan

Wait, what about compliance?

“Sure, we get it—just keep on letting people do the training as and when they feel like it,” said no regulatory body ever. So, how do we step away from mandatory training while still aligning with the regulations?

Junell Felsberg has a novel approach here: “The regulations are in there to ensure we have at least the baseline of knowledge throughout the organization. But how we deliver it has never actually been prescribed. The default is an online training module, but a conversation is just as good.”

“The regulations are in there to ensure that we have at least the baseline of knowledge throughout the organization. But how we deliver it has never actually been prescribed. A conversation is just as good.” – Junell

Junell elaborates: “If I find that I have individuals that are not completing their online training module, I’ll just pop by their desk and have a conversation: ‘Hey, did you know that the best ways to identify a phishing email are these things over here? This is what it looks like. Have you ever seen that before?’

And then it becomes a conversation back and forth. I can observe that they are getting the knowledge, that transfer of knowledge has happened because they’re repeating it back to me, and then I can go back to my web portal and mark off that they have completed this required training. Maybe it’s not in the format that everybody else has done, but that doesn’t matter.”

Want to boost security awareness? Talk about something else entirely

Another takeaway was how we can use stories and analogies from everyday life—things that people care about. We can draw parallels to security concepts in a way that feels more relevant and engaging.

AI and camping and bears, oh my!

Junell shared a creative approach that allowed people to explore using AI safely, via a camping-themed exercise. “We talked about avoiding bears on the camping trip and ensuring your campsite is safe, but we also tied this into how we should approach and manage AI safely.” This method proved a huge hit, with the relatable narrative really making the message stick.

The inside job

And things went from bears to burglary, when Nick talked about an impactful campaign he’d overseen: “One of the things we’ve done recently in webinars on physical security is actually talk people through the story of how we got someone to break in. Show them how they did it, you know, ‘This is your office, it happened—although we paid for it, it happened.’ Then people can really understand that, ‘Oh, okay, we’re not invincible.’ And that helps to also remove the barrier of not understanding the problem.”

Sometimes the best way to get the message across is to step away from the traditional messaging and do something unexpected that still resonates.

Get serious about fun

Cybersecurity’s a serious topic, and keeping an organization thriving is equally serious. Yet, serious campaigns very often (seriously) tank.

As we touched on in the “mandatory” matter above, a heavy-handed approach can really kill the vibe.

Fun is (seriously) powerful

Yes, even if you’re a lawyer, a senior leader…or, gasp, a cybersecurity practitioner. Fun should be an important part of people’s work life, including swotting up on somewhat intense topics like cybersecurity.

Scientists have spent a lot of time looking at fun, so we now know that it:

• Reduces stress (couldn’t we all do with that when it comes to cybersecurity?)
• Makes us smarter (which is definitely in the plus column when it comes to defeating cyber threats)
• And strengthens relationships (important, because we’re all in this together)

Lawyers just wanna have fu-un!

Suspend your disbelief momentarily, because Jan works with a bunch of serious lawyers. And it turns out, lawyers just wanna have fun, just like the rest of us.

So, how does Jan inject fun in campaigns on the (rather serious) topic of cybersecurity, within his (rather serious) law firm?

As part of the induction program for his firm, Jan used SebDB to help create a “Who Wants to be a Millionaire” cybersecurity-themed game. He wanted to give it a go, but he had his doubts: “We thought in advance, ‘Oh, that’s never going down well because we have a serious law group here.’ … and suddenly that was the highest uptake—they liked it most!”

Jan’s no one-trick pony, so the fun kept on coming: “We had the Wordle game for instance. The only thing is that we need to come up with is 31 cyber-related Wordle words—that’s the biggest problem that we face. But there are lots of tools that you can grab just to make a Wordle, and then people start going into that.”

Phishing frenzy: The ultimate legal battle

But the real fun-filled flagship of Jan’s campaigns? “In Cybersecurity Awareness Month we do a phishing tournament. We play into the excitement and the competition element of everyone within the firm. People sign up voluntarily to be phished for about four or five five weeks, and then we have a leaderboard. We have Australia against the UK, and we play the offices against each other.”

So, how exactly does it work? “We play eight rounds, people need to spot it, they get points, and then we tag on for a bonus point some non-mandatory learning at the end. 2,000 people took part last year [out of 7,500 employees]. That’s an enormous amount of people in a tournament so we’re very proud of that, and this year we’re going to go bigger and better.”

From these experiences, Jan’s learnt how important it is to “hook into what people like”, “don’t shy away from just trying out and falling flat on your face if it doesn’t work.”  … and don’t forget to have fun yourself too.

“Don’t shy away from just trying out and falling flat on your face if it doesn’t work.” – Jan

Spot the difference

We love audience participation, and the chat bar was buzzing throughout the session. One idea really stood out. A creative viewer explained how they asked people to spot the difference between a real image of the CEO versus AI-generated versions.

This clever idea got everyone thinking about the dangers of deep fakes and phishing, which makes it perfect for SA&T engagement. What helps make it so powerful is it taps into our natural love for playing detective and finding clues.