Why is Cybersecurity Training not Working?

Lewis Fairburn

Marketing Manager


Cybersecurity threats are constantly evolving, and organisations need to stay ahead of these threats. This is to protect their data and systems. Data breaches cost the UK an average of £2.9 million per breach, 82% of breaches involving the human element. Moreover, those factors alone are usually enough to convince people that cybersecurity awareness needs improving and training to mitigate this. One way they can do this is by providing employees with cybersecurity awareness and training. However, despite the prevalence of such training, many organisations still struggle with mitigating cyber risks.

Why isn’t Cybersecurity Training Working

This begs the question – why isn’t cybersecurity training working? This answer can lie within multiple reasons, including a lack of awareness and understanding about cybersecurity threats, vulnerabilities and risks among employees. This is a large part of why cybersecurity isn’t working as effectively as needed to keep up with the rapidly evolving trends. Conducting cybersecurity training and not explaining why this is a huge mistake. The reasoning for this falls to humans. This is because if a person doesn’t know why something is crucial and the implications this could have. As such, individuals won’t care enough to engage thoroughly with the training and the rules and regulations. An inadequate amount of resources is being allocated to cybersecurity training provided by an organisation. With many individuals and organisations falling prey to phishing attacks, the correct amount of training and knowledge around these attacks should be put in place. However, with that being said, it is recommended that all organisations spend the equivalent of 10% – 15% of their IT budget on staff training in IT.

Training and Techniques

A large part of why cybersecurity training does work can come down to outdated training techniques and knowledge reciprocated due to this. Studies in the past 15 years show that the human attention span has decreased by approximately 30%. This is due in part to the amount of short-formatted content humans consume in today’s day and age. With this knowledge, cybersecurity training should be shorter and formatted, which is beneficial in several ways. The content in a short format allows for content to stay more up-to-date as the costs and time spent creating training will be reduced. Therefore, allowing training to be consumed at a higher efficiency and keeping this knowledge up-to-date and viable for the constantly changing technological environment.


In conclusion, you should review the fundamental points mentioned above to improve your cybersecurity training. Additionally, it is imperative to do your due diligence and try to implement these to the best of your ability when applying these to your organisation. With the right plans and resources, cybersecurity training can be practical and help organisations mitigate cyber risk and Data Breaches. Take a look at our careers page here.

Video/Audio Transcript