Six Ways to Increase Employee Engagement in Security Training

Six Ways to Increase Employee Engagement in Security Training

By now most of us understand that employees are cybersecurity’s weakest link and biggest attack vector – those online criminals are targeting specific people within organizations with access to sensitive data – instead of traditional perimeter defenses. Yet increasing employee engagement in both security awareness training and application security (AppSec) training still too often meets foot-dragging, procrastination, and collective eyerolls – when it’s even offered. 

In 2021 businesses lost a staggering $7 billion due to cyberattacks and insider threats. Per usual, these breaches can be traced to a single employee – usually unwittingly – clicking on the malicious email and ushering in a torrent of trojan horses into his or her company. 

Six Ways to Increase Employee Engagement in Security Training

In 2021 the FBI’s Internet Crime Complaint Center (IC3) fielded a record 847,376 reported complaints – a 7 percent increase from 2020. Potential losses exceeded $6.9 billion. Once again, ransomware and business email compromise (BEC) attacks led the way. For the first time ever the criminal use of cryptocurrency joined the top three incidents reported. BEC schemes alone resulted in 19,954 complaints totaling $2.4 billion. 

This begs the question: How can something so potentially costly to businesses not carry greater urgency within organizations? Why are so many blowing it off, or being otherwise unserious when it comes to implementing security training? 

1. Make it Matter, Make it Believable

Some version of “this is cheesy,” “we already know this” and “not a thing that would happen in real life” have been overheard somewhere during security training. While most employees understand they are the weak link cyber-wise, not every employee knows what to do with this information. They have heard lots of fear mongering, but far fewer solutions. Tell them what they don’t already know. Communicate something of value. Instead of sowing fear, uncertainty and doubt, practice empathy and understanding for the position they are in and show vision for what they are likely to encounter. 

In other words, make your security awareness training believable and inspired by real-life attacks. Use actual web pages they are likely to run across in your examples. SQL injection attacks don’t happen on login pages, but they might happen in checkout pages. They are even more likely to happen in random, semi-arcane places. Use these as your examples, so that your audience knows that you know what you’re talking about. Teach them to identify, disable and quarantine attacks before they become expensive problems.

For example, ThriveDX recently acquired Kontra which provides application security training aimed squarely at developers. Whereas normally developers find bugs and report them, Kontra teaches them instead how to identify and fix security vulnerabilities and other bugs in real time, saving four or more weeks on the next rev.

2. Practice Radical Candor

Acknowledge up front that security training is nobody’s first choice in time management. We get it. At the same time, people generally agree that having jobs is a good thing. If a company falls victim to ransomware, one person’s carelessness could end up costing dozens of people their careers, if not the business itself. So of course, cybersecurity awareness training and AppSec training is going to be mandatory. Let’s make the most of it, shall we?

3. One Size Does Not Fit All

Not all employees are equal. Some are more likely to be attacked than others. Acknowledging up front you understand this basic truth should increase employee engagement. Specifically, people with privileged access to sensitive data are much likelier to be targeted. Your training should account for these human heightened risks by separating them off from the group and walking them through the most likely scenarios they might encounter.

4. Tighten It Up

Why spend 20 minutes making a point you can convey in five? People are smarter than you think. Approach training like it’s not their first day with a computer and an internet connection. By now most folks have a general understanding of what threats await them after making bonehead decisions online. What they do not have is a lot of time.

Gyan Chawdhary is founder and CEO of Kontra, which he calls Application Security Training by developers, for developers. “Nobody has time for security training…least of all, developers,” said Chawdhary. “That’s why one of our key differentiators is that every part of our training runs five minutes, max.”

5. Tell A Story

In addition to showing an attack and how to fix it, include a narrative. Tell an interactive story of real-life attacks. Many devs are curious as to how attackers found this bug in the first place. What tools did they use? What code were they looking for? How did this security vulnerability come to be discovered? Kontra shows them this back story and walks them through the steps from the perspective of a cybercriminal. It shows them a hacker’s tricks. Square that circle, and good code follows.

6. Scale your content by integrating w/ other LMS software

All too often both security awareness training and application security training are standalone courses sitting outside of a company’s Learning Management Software (LMS). This effectively means you can assign training without enforcing any compliance. If developers are writing code while AppSec Training runs in the background, how would you know, and what could you even do about it? 

The other problem is many times security training will force companies to adopt their LMS systems, in order to give the companies visibility into employee compliance. This presents several problems. First of all, why would a developer want to login to yet another system in addition to their own LMS to complete training? This also gets at the fact that many enterprise LMS systems are much more sophisticated and complex than anything offered by cybersecurity training. While an organization might gain some enforcement and compliance capabilities, they’ll more than lose in overall functionality.

A final word on increasing engagement

There is no silver bullet to getting everyone to expert level in combating today’s threat landscape. Ultimately it comes down to how much organizations value a security-conversant workforce and strive to implement the above tips. Making the content shorter, more relevant, and more customized should significantly increase employee engagement in security training – ultimately saving the company money in the form of attacks that never happened. Who knows, you might even discover upskillable employees to add to your security team. 

For more information on ThriveDX’s enterprise security training programs, please visit us at

Digital Skills Training and EdTech Solutions | ThriveDX

Data Breach Types

Christopher Dale is the content marketing manager for ThriveDX’s Enterprise Division. He has worked in the cybersecurity field for almost 14 years in PR, social media and content development roles for a range of companies including ESET, Forcepoint, Cylance (Blackberry) and Proofpoint. He holds Bachelor of Arts degrees in Political Science and Rhetoric & Communication from the University of California, Davis. 

Protect Your Organization from Phishing


Explore More Resources

Your Trusted Source for Cyber Education

Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.

Download Syllabus

Let’s Talk

Download Syllabus

Apprenticeship Program

Apprenticeship Program

Let’s Talk

Get Your Free Trial

Access our Free OWASP Top 10 for Web

Enter your information below to join our referral program and gain FREE access for 14 days

Follow the steps below to get FREE access to our OWASP top 10 for Web course for 14 days

  1. Simply copy the LinkedIn message below
  2. Post the message on your LinkedIn profile
  3. We will contact you as soon as possible on LinkedIn and send you an invite to access our OWASP Top 10 for Web course


Make sure you confirm the tag @ThriveDX Enterprise after pasting the text below in your LinkedIn to avoid delays in getting access to the course.
tagging ThriveDX Enterprise on LinkedIn

Ready to Share?

Take me to now >

Contact ThriveDX Partnerships

[forminator_form id=”10629″]
Skip to content