The way your employees grasp and process the information you give them will determine the success of your security awareness program. To oversimplify what that means: boring, long-winded, overly complicated programs will likely fail. Conversely, bright, entertaining, inclusive programs tailored to your user-base will likely succeed.

What follows are five ways to build and maintain a successful SAP. As you read, keep in mind that every program is different, so these are meant to serve as generic recommendations. If you have other ideas or experience in promoting a successful program, please let us know in the comments!

Show, Don’t Tell

It’s easy to fall into the trap of simply telling your employees what not to do when in reality, you should be showing them the “whys” and “hows” of information security. Every security breach that breaks major headlines presents a learning opportunity. If you spin those headlines into a quick teaching moment by explaining to your staff what happened, how it happened, how it could have been avoided, and what it would mean for everyone if it happened to your organization, you stand an excellent chance of making your employees understand why they’re required to participate in awareness training.

This approach plays right into the “make it personal” strategy. Meaning, if you present information that’s relevant to your employees’ personal security, they will be much more likely to learn, and your organization will be much less likely to suffer a data breach.

Convince the Boss to Participate

We always encourage executives, upper-management, and C-level types to join everyone else in the organization and participate in awareness training. Their presence in the program accomplishes three great things:

  1. It sends a message that says, “this program is extremely important, and no one is above it.” (Lead by example!)
  2. It keeps management in the loop so they understand how the program is being structured and why it might need more funding.
  3. It trains them! High-level employees benefit from awareness training just like everyone else. They also happen to be big-time targets for cybercriminals, making awareness training essential.

Encourage Feedback

If you want to gauge the impact of your SAP, get feedback from the people enrolled in it. They’re the only ones who can tell you what’s working and what’s not, which parts resonate with them and which fall flat, and which topics they want to learn more about.

For example, if your users hate certain types of content or there’s too much training interrupting their workflow, that negative reaction stumps the learning process; a frustrated user isn’t learning anything. But without asking for feedback, how do you know when to make changes or, more importantly, what changes are needed? By encouraging open, honest feedback, you can address the issues within your program and effectively tailor it towards your end users.

Utilize Gamification

One of the biggest challenges of mandatory training is making it fun. And even though things like compliance and workplace-safety will likely never qualify as entertainment, you should still make an effort to add some entertainment value in the way you present the training.

Gamification offers a great way of doing just that. As the name suggests, gamifying content converts it from a standard online training module or instructor-led seminar into a game or interactive challenge. We offer a bunch of different styles of trivia games that aren’t complicated and don’t take up much time. But if you want to create your own games, there are plenty of free online templates for building crossword puzzles, quizzes, etc.

In addition to computer-based games, feel free to get creative and personalize games that match your work environment. Office-run contests and scavenger hunts offer a great way to get everyone involved and improve the culture of your organization, especially if you can add rewards and prizes. Of course, the tricky part is figuring out how to infuse security awareness training into these types of games. One example: if you distribute a monthly newsletter, turn it into a scavenger hunt by following it up with a few questions that your end users could only answer if they read the entire newsletter. If you can, reward those that get them all correct!

Embrace Microlearning

Let’s face it, the attention span of an average employee is typically short when it comes to extra work—which is exactly how most will feel about security awareness training (it’s more work/it’s distracting). If you don’t have their attention, they won’t learn anything. And if they don’t learn anything, your efforts to build resilience to cybercrime will fail.

Microlearning helps you combat those problems by providing information in small chunks. Posters, short videos, infographics, a quick email update with graphics are all examples of microlearning. While not a substitute for long modules that cover vitally important compliance training, microlearning serves as an excellent reinforcement of your overall message without bogging down your employees’ productivity.


The end-goal is to develop a learning ecosystem within your organization that benefits everyone from the top to the bottom. And we’re here to help! Check out our resource center for lots of great information on how to plan, launch, and manage your SAP. We also have a great selection of free materials including posters, games, modules, and videos like the one below!

Justin Bonnema

Lead Writer at SAC
Justin left the music business to focus on his true passion: writing. A talented writer and detailed researcher, he’s involved in every department here at SAC to make sure all content is fresh and up-to-date. In his spare time, Justin writes about fantasy football for FootballGuys.com and practices mixology (he makes a mean margarita).