Attention Before Awareness
The ignition point
Attention. That's the game. That's the god(dess). And until we start worshipping it, every awareness campaign that we build will collapse under its own dullness. Cyber awareness isn't failing because employees are careless, stupid, or "the weakest link". It's failing because we're not competing for their attention. Not even trying, half the time. We toss training into inboxes like confetti at a funeral and then act surprised when no one dances.
Attention is the glittering currency of the modern age, the neon god of our scrolling, swiping species. That's where the war is being fought, and we, the cyber crusaders, are still sharpening PowerPoints while marketing is out there staging full-blown Broadway musicals.
Humans don't absorb information just because someone hurls it at them. We don't learn through obligation. We learn when something moves us, cuts through, makes us laugh, cringe, care. We learn when emotion stirs the neurons. And the people who've mastered that are? The marketers. Those caffeinated conjurers of desire. They've built empires... literal empires... on the back of human emotion. They know that to be remembered, you must first be felt.
Cyber, on the other hand... not so much. We, the supposed guardians of the digital realm, keep mistaking compliance for connection. We write policy when we should be writing poetry. We teach risk when we should be telling stories. Until we start behaving less like bureaucrats and more like brands, we'll keep watching awareness slide off our audience like rain off a waxed Tesla.
the myth of the careless employee
We love a villain, don't we? Every good story needs one, and in cyber security, we've case the employee as the hapless fool clicking their way toward Armageddon. Every data breach gets a scapegoat, every phishing campaign a headline that points the finger at "human error". It's simple, satisfying, and conveniently shifts the blame away from the systems, strategies, and cultures that sets those humans up to fail in the first place.
But if we're honest... and we should be... it's lazy. People don't wake up in the morning thinking, right, time to compromise the company today. They're just doing their jobs. They're juggling messages, meetings, deadlines, Teams calls, Slack pings, client dramas, childcare, caffeine crashes, and whatever existential dread they picked up from the morning news. Somewhere in that swirl, we throw a phishing simulation or a security reminder written in the tone of a tax audit and then act surprised when no one reads it.
We keep telling ourselves it's about carelessness, when in truth it's about competition. Every app, advert, headline, and notification is clawing for the same sliver of attention we're trying to reach. We're not losing to stupidity, we're losing to saturation. And the irony? The people in marketing... yes, the same people we roll our eyes at for using words like synergy and brand storytelling... they've already solved this problem. They've studied it, engineered it, monetised it. They know how to make someone look twice.
Yet here we are, still blaming people for not paying attention... when we're the ones who never earned it.
The Cult of Attention
You can always tell when you've wandered into the marketing department. The air hums differently. It's caffeinated, loud, alive. Ideas ricochet off the walls like pinballs. Someone's arguing about typography as if it's theology. Someone else is waving a colour palette around like a god damn manifesto. They understand, instinctively, that the battle for attention is sacred.
While we're still drafting policies in committee-approved language, they're running experiments in human psychology. They know how exactly how to make people feel. They can stop a thumb mid-scroll, sell dreams in twelve words, make an entire brand live rent-free in your frontal lobe. They don't wait for attention, they conjure it. And they protect it like a religion.
That's what makes them so infuriatingly effective. They start with emotion, not instruction. With memory, not metrics. They design for the eye, for the gut, for the pulse. Everything - every font, frame, flicker of light - is built to earn engagement. Meanwhile, we're over here sending out "mandatory awareness modules" written in the tone of a parking fine.
If we want people to remember security training, we can't keep treating it like a compliance exercise. We have to learn from the disciples of dopamine. The marketers already cracked the code on how to make humans care. All we have to do is stop pretending it's beneath us and join their bloody cult.
the forgetting curve & the fire of feeling
Let's talk about memory... or rather, the total lack of it. We roll out awareness training like some corporate Groundhog Day, as if the human brain were an Excel sheet waiting to be updated. It's not. It's chaos and chemistry and emotion and timing. And when we ignore that, we lose.
Back in the nineteenth century, a German psychologist named Hermann Ebbinghaus decided to study how quickly people forget information. He memorised lists of nonsense syllables... straight up sadomasochist behaviour for science... and timed how long it took for the knowledge to decay. What he found became legend: the Forgetting Curve. Within six days of learning something new, most people forget about seventy-five percent of it. Seventy-five. A century and a half later, we're still proving him right.
Imagine spending millions on awareness campaigns that vanish from memory before the week is out. Imagine spending millions on something we've known wasn't effective since the fucking 1880s. Yet that's exactly what most organisations are doing. We deliver passive training... read, click, nod, repeat... and then we have the audacity to wonder why no one remembers a bloody thing.
We forget because we never feel. Our brains are build to store what moves us. That's why you remember your first kiss but not your last compliance quiz. That's why the smell of a burnt biscuit can catapult you straight back to your grandma's kitchen. That's why a jump scare in a film stays with you longer than a password policy.
Emotion is the ignition key for memory. Fear, humour, surprise, pride, outrage - these are the things that get filed under important. That's why experiential learning works. It forces feeling into the equation. It creates tension, competition, connection. It makes people feel something real before asking them to remember it.
Interactive, experiential learning can increase retention by up to eight hundred percent compared to passive formats. Eight hundred. That's not a statistic, that's a wake-up call. When people are part of the story... when they have skin in the game, laughter in their lungs, adrenaline in their blood... the lesson becomes a memory. And memory is what keeps us secure.
The best training feels less like compliance and more like theatre. It's immersive. It's ridiculous. It's fun. It might involve fake breaches, phone calls from "hackers", escape rooms, organised chaos... But it works. Because emotion is sticky. Because memory is emotional residue. And because no one ever told a great story that began, "I logged into the LMS and..."
The marketing mindset
So how do we fix it? We start behaving like marketers. Not pretending, not dabbling, but genuinely learning from the people who've mastered the dark art of attention. Marketing doesn't throw information at people and hope for the best. They plan, they test, they measure, they adjust. They obsess over message, timing, tone, and audience. Every word, every colour, every moment is deliberate.
Cyber needs that same obsession. We need to stop treating communication like an afterthought and start treating it like a campaign. Every awareness initiative should begin with a single, merciless question: why should anyone care? Until we can answer that honestly, we have no right to demand attention.
We need repetition. Real repetition. Marketing knows that messages only sink in when they're seen and felt and heard again and again, in different formats, from different angles.
We need to tell stories. Real ones. Stories that make people see themselves - the CFO with the "urgent" invoice, the HR exec clicking a malicious link between calls, the intern saving a fake attachment from "IT support". Every click, every panic, every close call is an opportunity to turn a cautionary tale into a cultural movement. Marketing already knows that storytelling changes behaviour faster than rules ever will.
And we need design. Beautiful, deliberate, intentional design. You can't sell an idea that looks like a spreadsheet. Cyber teams should be working hand in hand with designers, writers, videographers, the whole creative crew. If you want people to remember your message, make it worth remembering. If you want them to talk about it, make it worth talking about.
Marketing understands that attention isn't given... it's earned, crafted, seduced. Cyber needs to start competing for it with the same energy, the same precision, the same creative arrogance.
from governance to connection
If we want a culture where people behave securely by instinct, we have to earn that instinct first. That means dropping the jargon and finding the humanity underneath it. We don't need more governance language; we need language people actually want to read. We need humour, design, repetition, stories, social proof. We need the kind of campaigns people mention in the corridors afterwards.
Awareness isn't the beginning of the journey. It's the outcome of a system that prioritises attention, emotion, and reinforcement. Once we understand that, everything else changes. Training stops being a compliance exercise and starts being culture-building. People stop being "the problem" and start being part of the solution.
We can keep doing what we've always done... or we can get serious about attention. We can stop pretending it's a soft skill and start treating it as the hard currency of human behaviour. The moment we do, everything improves: performance, culture, reporting, buy-in, memory, and yes... actual risk reduction.
Cyber security doesn't fail because people are careless. It fails because we forget we're people too.