Don’t teach me anything.
John Oliver was joking when he barked that line at Edward Snowden. Yet it might as well be every employee staring down another mandatory cyber module. Beneath the comedy is a truth most organisations refuse to face. People do not reject cyber security because they are stupid. They reject it because the learning experience reeks of canned soup.
There is something painfully familiar in John Oliver's exchange with Snowden. That theatrical recoil from complexity. That wonderfully childish refusal. That charming, unvarnished plea to avoid being taught anything at all. It captures the national mood of cyber awareness training with uncomfortable accuracy. We have asked people to learn, but we have not given them a single good reason to want to.
Every few months the compliance wheel spins, and out tumbles yet another mandatory module decorated with royalty-free icons and a narrator whose voice sounds like it escaped from a 1998 onboarding CD-ROM. We drown people in quizzes that test nothing, videos that explain nothing, and policies that reassure no one. These are not learning experiences. These are corporate rituals, performed earnestly and understood dimly, like chanting at a bonfire without knowing the words or why you're there in the first place.
The real problem is not knowledge gaps. The real problem is confidence. Or rather the catastrophic absence of it. People do not disengage because cyber is boring. They disengage because cyber feels like a language they were never taught to speak. And when people feel lost, they retreat. They opt out. They mutter Oliver's immortal line in their heads. Don't teach me anything. I don't want to learn.
Punishment based training only worsens this. We know, because the science has known it for seventy years. The stick works brilliantly if your ambition extends no further than temporary obedience. But obedience is not competence. And competence does not grow in environments designed to frighten people into staying awake.
Yet somehow organisations still cling to the belief that a poorly designed phishing simulation will deliver enlightenment, or that calling out repeat clickers in front of their peers will breed vigilance rather than resentment. Studies from ETH Zurich, San Diego, Karlsruhe, and others have tried to break this news gently, but the message keeps disappearing like a polite email in a crowded inbox. Phishing simulations based on catching people out are not teaching anything at scale. Some are barely scraping a two percent uplift in long term behaviour. Two percent. That is the kind of number a magician would hide under a cloth.
Fear creates silence. Silence creates risk. This is the cycle organisations keep feeding with wide eyes and good intentions. When people are afraid of punishment, they hide their mistakes. They lie. They avoid asking for help. They turn the cyber team into a collection of shadowy figures who appear only to wag fingers and deliver verdicts. The culture ferments. The truth gets buried. The security posture weakens. No amount of mandatory modules can rescue an environment where people view cyber as a trap.
The antidote is self efficacy. Albert Bandura wrote about it with the clarity of someone watching humanity bump its own limits. The belief that you can succeed precedes the ability to succeed. If you think you cannot understand cyber, you won't. If you believe you might, suddenly the door unlocks. This is why veterans of the early internet looked so heroic. They hurled themselves into the unknown with a shrug and a mutter of how hard could it be. They were not braver. They were simply confident enough to try.
Modern training rarely replicates that feeling. It makes people feel examined rather than invited. Corrected rather than guided. Many employees, quite sensibly, disengage. They know when a system is designed to expose rather than empower.
So how do we fix it? The psychologically is mercifully straightforward. People learn best when they experience a win, watch others succeed, receive encouragement, feel emotionally safe, and see a path they can actually climb. Five simple pillars of self efficacy. Five things most cyber training ignores entirely. Instead of mastery, we get trick questions. Instead of vicarious learning, we get grainy reenactments. Instead of encouragement, we get automated scolding. Instead of emotional safety, we get timed quizzes. Instead of tailored difficulty, we get the same content for the intern and the network engineer.
It is no wonder people begin to loathe the whole enterprise.
And yet the alternative is not utopian. It already exists. You see it whenever someone is given a hands on task that feels real. Whenever they get to solve a puzzle instead of being quizzed on a bullet point. Whenever learning is framed as exploration instead of remediation. Immersive experiences, interactive simulations, and scenario based challenges consistently outperform the corporate-video industrial complex. They deliver the quiet miracle of confidence. They let people win.
The lesson is embarrassingly simple. If you want to shift behaviour, design training that feels like it respects the intelligence of the learner. Make it playful. Make it human. Make it something people actually want to get right. And stop assuming that a person who clicked a link at 4.57pm on a Friday is a threat to the kingdom. They are a human being with a brain full of other priorities.
The future of cyber training belongs to organisations brave enough to treat learning as a craft, not a compliance checkbox. The ones who build experiences where people feel proud of what they figured out. The ones who ditch fear in favour of curiosity. The ones who understand security is a collective performance staged every day by people who want to feel capable, not conquered.
Teach people to believe they can do this. The behaviour change will follow. It always does.
Keywords