From apathy to action: 5 proven ways to boost employee cybersecurity engagement

Here's another stat that underscores the criticality of a pro-security culture: Last year, 75% of attacks were malware-free. That means instead of resorting to drive-by malicious sites, malware-laden downloads and open port attacks, many cybercriminals were foregoing malware altogether by directly exploiting employees. 

With this in mind, here are key ways to move your teams from apathy to action by boosting employee cybersecurity engagement. 

• Understand the psychology of learning 
• Leverage microlearning for better retention 
• Diversify education formats 
• Implement targeted and role-based training 
• Market your security awareness program 
• Applying the science of engagement for lasting behavioral change 

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Book a Demo

1. Understand the psychology of learning 

Understanding how learning lands in the psyche of your target audience is a core tenet of security awareness training and human risk management. While the psychology of learning may sound complex at first, it all boils down to a few simple concepts: 

• Learning should be interesting and enjoyable 
• You have to make sure they're intrinsically motivated to learn 
• Their learning should augment their personal sense of accomplishment and value 
• The learning journey should make learners feel like they belong to something bigger than themselves 

When training is engaging, it sticks. Go behind the scenes of Work Bytes, the award-winning Infosec IQ, series to see how security awareness can be both effective and entertaining. 

Make learning enjoyable 

Studies have shown there's a connection between learning and engagement. If employees find the material interesting and enjoyable, they will likely see themselves playing a significant role in their organization's cyber protection. 

For example, when employees saw their training as interesting, they were almost 80% more likely to view themselves as someone who plays an important role in their organization's cybersecurity. On the other hand, when employees saw their training as boring, only 27% envisioned a connection between themselves and the cyber-safety of their organization. 

Understanding this, many organizations have been customizing their training to make it more relevant and personal. 

In the 2025 Infosec Dark Reading survey, which included 111 cybersecurity and IT professionals at companies with 500 or more employees, 41% said they customize their training using specific security threats that impact their organization. This ensures that the training is personalized and actionable. 

Making sure employees connect with your training often centers around effective storytelling. 

The power of storytelling in security training 

Storytelling is essential to effective cybersecurity training because it grabs your learners on an emotional level and gives them a more tangible role in the security success of your organization. As Steve Concotelli, who hails from a Hollywood background, puts it on the Cyber Work Podcast, the last thing you want is for "somebody to hit play and walk away." 

Effective training grabs attention — it shouldn’t be just background noise on a to-do list 

To avoid that, he recommends using the three E's: educate, engage and empower. These are foundational to all of Infosec's modules. Here's what they mean: 

• Educate: Make sure the actual learning moments stick with your audience. 
• Engage: Speak to people on their own level and employ situations and use cases they understand and appreciate. 
• Entertain: Infuse a few laughs to engage with the audience's sense of humor. 

The educational element benefits from the use of proven methodologies, such as microlearning and just-in-time learning.  

• Microlearning involves learning in short, focused bursts, often organized in lessons just a few minutes long.  
• Just-in-time learning gives learners exactly what they need when they need it.  

For example, suppose employees are struggling to figure out how to spot an AI-generated spearphishing campaign. Your security awareness program could include a short training that outlines exactly how hackers use this to fool their targets, examples of common techniques and what they should do if they suspect an attack. Then if an employee clicks on a simulated phishing link, additional training can reinforce that message: 

To further round out your storytelling, your training should include: 

• Role-based learning: This gives employees specific training around skills they need to perform their particular duties. 
• Ongoing, actional advice: To drive true culture change, you should adjust your teaching according to what each learner experiences on a daily basis, regardless of how often that changes. 
• Narrative arcs and characters: You can position employees as protagonists or help characters and hackers as antagonists. At times, malware or an attack could assume the antagonist role as employees swoop in to contain the threat and save the day. 
• Realistic workplace scenarios: Even if you make up the characters, you should ground learning scenarios in those that are relatable to the audience. Use actual network components and architectures. Incorporate the actual web apps, servers and cloud providers your organization uses.

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

VIEW PRICING

Make it personal and positive 

According to an Infosec security and awareness training manager, if trainers "can get people engaged on a topic that's got meaning for them personally, then it's going to change the way that they operate holistically, including at work." 

For example, nearly everyone uses social media in one form or another. So, one way to personalize your training is to use social media attacks as an example of what to look out for and avoid. 

One such attack involves a hacker pretending to be an associate or friend of their target and then sending them a friend request. Once accepted, they have access to news about what the person is doing, their likes and dislikes, associates, employment history and more. All of this can be used in a future spear phishing attack. 

Donna Gomez and Tomm Larson share how gamification, competitions and creative challenges make cybersecurity training more engaging and effective. 

Learning based on intrinsic motivation, trust and empowerment are more effective than being punitive. Keeping it positive involves: 

• Not belittling your audience by making them feel bad about their mistakes or lack of knowledge 
• Building a circle of trust where they can feel comfortable being open about their concerns 
• Tapping into your audience's passion for doing a great job or succeeding as professionals 

2. Leverage microlearning for better retention

Microlearning, as mentioned earlier, involves segmenting learning into short, focused bursts. To leverage microlearning, all Infosec videos are between one and four minutes long. This avoids the pitfalls of the forgetting curve, that shows we lose a significant amount of information within the first few hours or days after learning it. Microlearning uses skill reinforcement to prevent the forgetting curve from erasing valuable knowledge. 

For instance, Infosec IQ training breaks down learning according to nine security behaviors outlined in the NIST security awareness training guidelines. After showing a brief, four-minute video during the phishing training, you can show employees examples of phishing attacks so they can exercise their newfound knowledge. 

Use in-the-moment nudges 

In-the-moment nudges involve using real-time prompts based on situations learners are currently dealing with to foster an educational experience. 

For instance, suppose an employee has to create a password for access to a web app your company uses. At that moment, you can teach them about the importance of using long, complicated, random passwords. For example, you could emphasize how much longer it takes a brute force attacker to crack a password consisting of random words and numbers than one that has already appeared on a leaked password list. 

Nudges create lasting behavioral change. In fact, recent research from Right-Hand Cybersecurity found one company experienced a 17% reduction in alerts over the course of two months following the use of in-the-moment nudges in employee training. 

3. Diversify education formats

By adjusting to different learning preferences, you can reach a broader audience. Some learners respond better to videos and infographics, while others retain more information if you use gamification during training. Still, others benefit more from hands-on workshops. 

According to NIST, "repeating an awareness message and using a variety of ways of presenting that message can greatly increase users' retention of awareness lessons or issues." 

To best understand the most effective way of applying this insight, you should mix up your approach to ensure you're accommodating as many needs as possible. As David Hansen, Senior Analyst, Corporate IT Security & Compliance, Brookfield Renewable, explains, you should "find out what teams like," which means you "need to offer training content over a two- to three-year period, but provide variation in the content, format and delivery. That way, it resonates with people in a different way or with people with different learning styles." 

In a recent Infosec survey, a security manager mentioned that their program "had to have a variety of media, like posters, newsletters, email templates." The manager continued with this advice: "You have to keep sending out newsletters, adding posters in the break room, and encouraging employees to do more, or else it becomes like anything else — you become desensitized to it." 

4. Implement targeted and role-based training 

It's important to align training content with specific job roles, such as IT, finance and HR, as well as your organization's risk levels. This way, your training will directly align with each learner's responsibilities and concerns. 

As another security manager mentioned in a recent survey, "I think role- and risk-based is honestly what we probably look for the most. We can talk about phishing in a generic form all day long. But can we break it down to whaling for executives? Can we break it down to accounts payable versus maybe an intellectual property area for research and development?" 

By breaking the training down in these ways, you bridge the gap between theoretical and actionable learning. 

For example, Infosec IQ has training tailored to job responsibilities, threats and compliance in specific industries including: 

• Healthcare 
• Financial services 
• Technology 
• Education 
• Retail 
• Government & military 
• Manufacturing & construction 

Explore the Infosec library with 2000+ training resources by the topic, role and content type that matches the tone and relevancy you need.  

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

VIEW PRICING

5. Market your security awareness program

It's crucial to augment your security awareness program with a compelling "PR campaign" by emphasizing its value for all involved. Underscoring the tangible benefits of your training prevents it from feeling like just another obligation. 

As revealed by a security manager in an Infosec survey, one way to do this is by fostering a genuinely immersive, enjoyable experience. The manager says, "The happier the employees are, the more they're willing to be part of the team. That's one of the things we wanted to do, make everyone feel like they were included." 

To communicate the benefits of your training, you can: 

• Outline how they promote job security and the health of your organization while first introducing your program. 
• Be specific about the time employees may save by applying what they learn and how what they are learning can keep them safe at work and home. The more employees personalize their learning, the more they will retain and apply their knowledge. 
• Have leadership reward employees for applying their training, particularly by using official commendations in employee reviews and even public acknowledgment during team meetings. 

Applying the science of engagement for lasting behavioral change

By leveraging microlearning, you improve retention and your audience's ability to apply what they learn. In-the-moment nudges make their learning immediately helpful because it gives them the chance to apply it to what they're doing right then and there. 

Diversifying education ensures your program meets the learning needs of as many employees as possible. Similarly, implementing role-based training gives employees what they need to know in the context of their daily work. By marketing your security awareness program, you underscore its value for all learners, differentiating it from mandatory, dispassionate, disconnected training. 

Take the next step by assessing your current training and then weaving these proven methods into your system. 

Your employees thrive on success — both their own and that of your organization. By prioritizing engagement, you build on their innate sense of drive to create a stronger security culture. 

For more on driving engagement, download our free ebook Security Awareness Behavior Change and Culture: Experts Share Advice on Changing Behaviors and Culture.