If Education is the Solution to Your Security Problem, Then You've Already Failed
Security Governance is the Only Approach that Works at Scale
A new scientific study confirms what has been obvious to me for years in the trenches: Security awareness training is at best a waste of time, and at worst actively harmful to security.
The study, published in the 2025 IEEE Symposium on Security and Privacy, studied almost 20,000 employees over the course of eight months, and concluded that security awareness training and phishing simulation drills were ineffective.
Why is this, and what is the alternative?
First, the why. That’s easy. Security is an abstract, technical, and adversarial discipline that requires a lot of technical experience and adversarial mindset to be effective. But most employees just want to live their lives and do their jobs. They don’t think about security all day long. Why would they? That’s unrealistic. Most employees will do what they are told (within reason, especially if asked nicely) but we aren’t going to turn employees into security experts. That is not a pragmatic or achievable goal.
Second, we all have limited mental bandwidth. Employees are incentivized to do their own jobs, to meet their own KPIs, and they have no interest or desire to engage in constant laborious mental effort to be thinking about security all the time. As a company, you don’t want that, either. You want your Finance folks laser focused on Finance work, your BD folks laser-focused on BD work, and so forth.
So if the daily constant practice of pre-emptively anticipating security threats rests with the Security team—which is hardly a crazy thing to say—how do we scale security across hundreds or thousands of employees who don’t understand security, who don’t care about security, and bless their hearts, never will?
Technical controls. Guardrails. Both deployed top-down as security governance from the very top of the company.
Make it easy to do the secure thing, and make it painful, difficult, or impossible to do the insecure thing. Remove the mental effort required to think constantly about operational security, and let the Security team deploy those mandatory guardrails.
Now, can you train individuals in better operational security? You absolutely can. Can you train small teams to operate in a more secure way? You absolutely can.
But once you reach a certain size, you must scale your approach to operational security, and you’re not going to hire an army of security “counselors” to spend hundreds of hours a year training (read: nagging) rank-and-file employees on how to have better operational security.
I mean, you could do that, but that would be stupidly financially infeasible. Especially when there is a superior alternative.
Let me give you a hypothetical example. Suppose you work for a company that currently has no 2FA for employee accounts. Your goal is to get 2FA deployment to 100% (or at least 99%).
You could 1) beg, plead, educate, and train, at a vast expense of time and money, and you’d be lucky to get to 40-50% adoption, or 2) you can give people ample notice and warning that you are going to turn on 2FA, you are going to enforce 2FA, and at the appointed time you flip the switch and you enforce 2FA, and anyone who doesn’t use 2FA can no longer do their job until they get with the program.
Now, these are decisions that the Security team should never make in a vacuum, they should be clearly communicated upwards to senior leadership and formally blessed by management. But once made, such a decision gets you to 99-100% 2FA use.
I offer this is as a hypothetical example, and invite you to fill in the blank of your favorite defensive security control. Because a company that has only 40-50% adoption of a specific security control might as well be at 0%. What good is a wall with gigantic obvious holes in the middle that attackers can just walk right through?
If security training and education is the solution to the security problem you are trying to solve, then you have already failed.