Time and time again, we learn that humans remain one of the weakest defences when it comes to security, whether the threat involves phishing, social engineering, impersonation, or physically entering a building. When designing security controls, we cannot ignore a person’s natural tendency to want to help. We are human after all.
But realistically, that does not change the fact that security professionals still need to protect IT estates, business operations, data, and people. Cyber awareness training is commonly used across most organisations, often as an annual exercise that people dread receiving in their inboxes.
Even as a security professional, I have found myself dreading awareness training because no matter what platform it is delivered through, it often fails to spark enough interest. To engage the workforce and build a genuine cyber culture that extends beyond the physical perimeter of the office, organisations need to rethink how they complete cyber awareness training.
Key takeaway: Cyber awareness training should not only teach people what phishing is. It should help employees recognise modern cyber threats in realistic situations, understand how attackers manipulate behaviour, and know what action to take under pressure.
Modern cyber threats go beyond phishing emails
Phishing is still important, but it is not the only threat people need to recognise. Modern cyber threats often blend email, phone calls, messaging apps, fake urgency, supplier impersonation, payment manipulation, physical access, and social engineering tactics that exploit trust, pressure, curiosity, or helpfulness.
This is why cyber awareness training should move beyond generic warnings and help employees understand how threats show up in their actual working day.
Phishing emails
Emails designed to trick users into clicking links, opening attachments, entering credentials, or following unsafe instructions.
Spear phishing
Targeted messages that use personal, role-specific, or business context to appear more believable.
Social engineering
Manipulation that exploits trust, urgency, authority, fear, helpfulness, or routine behaviour.
Payment diversion
Scams that redirect payments, invoices, payroll details, or supplier bank information.
Physical access risk
Threats involving tailgating, unauthorised visitors, badge misuse, or people entering restricted areas.
Role-specific pressure
Threats that exploit job responsibilities, such as sales urgency, finance approvals, developer access, or executive authority.
Make cyber awareness training interesting
How do you balance delivering thorough cyber awareness training whilst keeping it interesting to staff?
I have found that employees have varying levels of interest when it comes to cyber awareness. Some are genuinely curious, some are completely disengaged, and others are apathetic. I believe cyber awareness programmes can be improved by sparking curiosity and making the training interesting.
Many people are guilty of binge-watching entire seasons on Netflix within days. Why? Because it is interesting. The story is written in a way that hooks them and appeals to their curiosity. A similar principle can be applied to training.
Of course, organisations may still need the compliance checkbox for completing online training. But why not make it practical and follow up with an interactive lunch and learn session based on a real-life case study?
In the past, I have created training exercises that walk employees through how a cyber attack could be carried out, including real-life examples. Though simple, this crystallises how easy it can be to conduct an attack, especially from something as innocent as a mouse click.
By illustrating how easy it is for an attacker to strike, the workforce temporarily gets access to our world as security professionals. It also highlights how crucial their role is in keeping the organisation safe.
When choosing case studies, I prefer examples that feel relatable. Instead of only focusing on attacks against large organisations, I also use attacks geared towards individuals, such as direct deposit scams targeting employees, house buyers, or renters. This makes the victim feel more familiar: someone like the employee, or someone they know.
Divide and conquer
When delivering training, ensuring that you have a niche audience is essential. There will always be someone in the audience who believes they could not possibly fall victim to a cyber attack, so they disengage.
When designing sessions, consider separating cyber awareness training by job function to make it more impactful. The risk exposure of a sales executive is different from the risk exposure of a full stack developer, so they should not always receive the same examples in the same way.
A sales executive may be more susceptible to social engineering attacks because they engage with external parties regularly and may be under pressure to meet sales targets. A full stack developer, on the other hand, has responsibility for secure code development and needs to understand risks linked to code, credentials, repositories, pipelines, secrets, and application security.
When training is delivered to job functions rather than the entire workforce at once, it becomes easier to give relatable examples. People are more likely to stay engaged when they can contribute to the conversation and see how the threat connects to their day-to-day work.
Aim for depth when delivering training. That is where lasting change is made.
Role-based cyber awareness training examples
Role-based awareness training helps organisations move beyond generic phishing examples. It makes cyber security feel relevant to the actual decisions each team makes.
Finance teams
Focus on invoice fraud, payment diversion, supplier bank detail changes, executive impersonation, approval pressure, and verification steps.
Sales teams
Focus on external communication, social engineering, malicious links, suspicious attachments, customer impersonation, and urgency-based manipulation.
Developers
Focus on secure coding, secrets exposure, repository access, dependency risks, credential handling, and phishing attempts linked to developer tooling.
HR teams
Focus on personal data, recruitment scams, payroll changes, identity documents, employee records, and suspicious requests for sensitive information.
Executives
Focus on targeted attacks, spear phishing, business email compromise, personal exposure, delegated authority, and high-impact approval requests.
Facilities and reception
Focus on physical access, visitor verification, tailgating, badge misuse, deliveries, and escalation when something feels unusual.
Building a cyber-aware culture
When building a cyber awareness culture, the most important thing is keeping the conversation going. Employees should feel comfortable asking the security team questions, raising concerns, and reporting suspicious activity without fear of embarrassment.
Open communication creates an existing rapport when future changes are introduced. It also reduces the likelihood of a disengaged or apathetic workforce because security stops feeling like something that is done to people and starts feeling like something they are part of.
A strong cyber-aware culture is not created by one annual course. It is created through practical examples, repeated conversations, clear reporting routes, relevant scenarios, and security teams that make it easier for people to do the right thing.
Frequently asked questions
What does “beyond phishing” mean in cyber awareness training?
Beyond phishing means training employees to recognise a wider range of modern cyber threats, including social engineering, spear phishing, payment diversion, impersonation, physical access risk, and suspicious requests across different channels.
Why is phishing still important?
Phishing is still important because it remains a common way attackers try to steal credentials, deliver malicious links, trigger unsafe actions, or manipulate employees into sharing information.
What is spear phishing?
Spear phishing is a targeted form of phishing that uses specific information about a person, role, organisation, supplier, project, or business process to make the message feel more believable.
How can cyber awareness training be made more engaging?
Cyber awareness training becomes more engaging when it uses relatable examples, real-life scenarios, role-based exercises, interactive discussions, and practical situations employees may actually face.
Why should awareness training be role-based?
Role-based training is more effective because different teams face different risks. Finance, HR, sales, development, facilities, and executive teams all need examples linked to their actual responsibilities.
What is the goal of cyber awareness training?
The goal is to help employees recognise suspicious situations, pause before acting, verify unusual requests, report concerns, and understand their role in protecting the organisation.
Read my other work
Long-form breakdowns, frameworks, and practical insights on cyber security, identity, governance, and modern transformation.