If you’re looking to avoid the primary security awareness mistake, there are a number of things to consider.

Sometimes making progress by taking a step, any step, is the right thing to do. However, sometimes causes unforeseen issues. JDI (Just Do IT!)  in Security Awareness has an appeal as you can enjoy some progress and likely you’ll know the topics to cover.

Cost of Staff Attendance

Asking people to be away from their desk costs time in terms of stopping what they are doing, filtering to the venue and then filtering back. Add time for valuable chats with colleagues and picking up another coffee. 15 minutes would be a conservative average.

Additionally, most organisations won’t consider it a valuable use of time to require face-to-face training multiple times per year. So, you have a one-shot deal and lots of material to cover so a 1-hour slot seems like the right thing to do.

Working through the numbers should help you work out whether you’re likely to sink your effort into a recurring cycle of logistics that may or may not be effective.

For an organisation with 200 staff and an internal cross-charge rate of £220, the cost of attendance is £6,874. And let’s be clear, this is a cost that is distributed amongst other business units. Productivity impacts with a defined cost… won’t you be popular!


We are all about people, we really are. And we are firmly of the mindset that security isn’t the “user’s” fault, in-fact “users” probably doesn’t properly describe the relationship between the people that work in your organisation and the things they are trying to get done. That said, some people bring a level of disruption to a training session where you’d almost be better off not holding the session.

We’re not talking about shouting and insults but the insidious sneering attitude and deliberately awkward questions that can affect other people’s experience. Let’s face it, Security isn’t top of everybody’s agenda so there is an element of winning hearts and minds in everything we do in Security Awareness.

Also, on the topic of effectiveness, you’ve likely got one session per year to impart your messages in an engaging manner that you hope is going to positively affect the behaviours of the trainees for the long term. No mean feat in an hour! How often have you changed someone’s opinion on something the first time you met them?

Given that people have a limited capacity for concentration unless they are very interested you’ll need to create that light bulb moment for them in the first 2 minutes.

Logistics and impact on the Security team

Putting aside the cost to the business and effectiveness of the training (Hang the cost, man!), what are the impacts on the Security team?

  • Creating content – PowerPoint Ninjas put your hands up!
  • Getting buy-in from Senior Management to release staff
  • Hosting training – if attendees are in session for 1 hour it will likely take 2 hours to set up, train and then clear up afterwards
  • Arranging and rearranging training sessions.

Arranging training sessions is by far the biggest impact. In terms of numbers, 200 people is a speech, 30 is large for a training session so 20 attendees is a likely number per session.

For our example 200 staff organisations that’s 10 sessions. We all know how difficult it is to get 5 willing participants into a room at an agreed time and date. With 20 there will be inevitable call offs and requests for rescheduling. If you are lucky you will host an additional 3 sessions, possibly more. All of this takes time to manage, what else could that valuable member of your security team be doing?

The number one security awareness mistake

You’ll see why we believe that face-to-face training at scale has many issues that you should consider carefully. Before getting underway, consider:

  • Your current maturity level
  • What resources are available to you
  • Can you truly, consistently engage people in a training session environment?
  • Are you likely to get buy-in from the business for significant time away from other duties for all staff?

So, what can you do? Planning in the form of defining your Security Awareness Strategy.

In a strategy, you have defined, measurable goals and a firm plan for success. Importantly, it can be authorised by senior stakeholders. But, the key element in the strategy is pragmatism around the effectiveness of different approaches.

We’ll cover creating a Security Awareness Strategy in subsequent posts.

 If you enjoyed this post please come back regularly for further updates including upcoming information of security awareness events across Scotland and further afield. @adv_engage