The Engagement Paradox
On cyber awareness, and why it keeps failing.
In cyber security, we bloody love the word "awareness". It goes into strategies and programmes. We measure it. We report on it (kind of). We even dedicate a whole bloody month to it, worshipping the idea as if it's an end state in its own right. And yet, despite YEARS of these initiatives, breaches continue to happen for the same humanreasons that they always have.
It's not because people are careless or because they're stupid. In fact, it's nothing "they" are doing wrong at all. It's because WE are starting in the wrong place. We bang on about awareness being the problem and we are wrong. Awareness is not the problem. Engagement is.
Lack of awareness is merely the symptom of a poorly executed behavioural change programme. You see, most cyber training (I'd probably go as far as to say most training actually) is built on the flawed assumption that if people know what to do, they'll do it. So we explain, we instruct, we inform. We deliver policies, slides, posters, videos, quizzes, and then we bandy about our completion stats.
And we act completely surprised when absolutely nothing changes.
But humans don't change their behaviour because they were TOLD something in a classroom once. Think about all the times you've been in a seminar and you've been thinking about absolutely everything except what the guy or gal in front of you is saying. "What's for tea?" "That bloke's shoes are weird" "Has anyone ever successfully drawn pupils on their eyelids so they could nap in a boring lecture?"... you get the picture.
In order to create behaviour change, we have to cut through the noise. We have to capture attention. Get some emotions stirred up. Only then can we even think of creating memory. If there's no attention, you've got zero chance of someone remembering what you've told them. If their eyes are glazed over or they're pondering whether they really do like pineapple on pizza, no amount of droning on is going to flick that switch.
And if you don't have any chance of creating memory... well your chances of behavioural change are buggered as well. And that, my friends, is the paradox in which a lot of us are currently working: we're optimising for calm delivery of information in a system that biologically and cognitively requires disruption to work.
This is where cyber "awareness" goes wrong. We're measuring the wrong things. We're confusing attendance for engagement. Completion stats for knowledge gain. Someone can attend every training course you put on, pass every quiz (they're not that hard... seriously), and still they can behave in exactly the same way when the shit hits the fan.
Engagement isn't about showing up. It's about leaning in. It's about, well.. being engaged. It shows up in the room as curiosity and tension and focus and emotional investment. And sadly for us lot trying to make it happen, it can't be mandated. A policy document isn't going to stop someone clicking. If the people are not engaged... the "awareness" has nothing to land on.
Humans don't learn in the way compliance frameworks assume (read: wish) they do. And we shouldn't be surprised by this. Our brains are wired to prioritise novelty, story, social context, pressure, and relevance. It's been biologically ingrained into us from way before computers even existed.
We remember the things that surprise us. We remember what makes us uncomfortable, what makes us laugh, what raises our hearts race. It's why we can recall the plot of a TV series from a decade ago but we can forget cyber training before we've even closed the damn tab. And that's not a motivational problem on behalf of the learner... it's a design problem on behalf of the people creating the training in the first place.
Marketing teams understand this concept instinctively. Their whole gig is getting noticed, and staying noticed. Marketing realises that awareness (brand awareness and cyber awareness aren't two different beasts cognitively speaking) does not start with information... it starts with ATTENTION.
Marketing knows that behaviour change follows a sequence... attention leads to interest... interest to emotion... emotion to repetition... and repetition to habit. Cyber security, by contrast, just skips straight to the end. We throw information at people and hope awareness appears. It doesn't.
Engagement, therefore, is the ignition point for the whole behavioural change process. If you want people to behave differently under pressure... when an email looks almost right, when a phone call feels slightly off, when the stakes are real and time is short... you have to engage them before you educate them. You have to give the brain something it can recognise later, something that feels familiar when the moment of risk arrives.
Without engagement, awareness programmes do not fail loudly. They fail quietly and politely. They get completed, reported on, and ultimately ignored.
Cyber security does not need "louder" awareness campaigns. It needs better engagement design. It needs to stop asking how to tell people what they should know, and start asking how to get people to care and remember when it matters. Because awareness is not the starting point. It is the outcome.
Keywords