top of page
  • Jessica Barker

Raising cyber security awareness of 50,000 people: 3 key lessons

I’ve been delivering cyber security awareness-raising training for over ten years. People often ask for my advice so in this blogpost I'm sharing three key lessons I’ve learned over the last decade.

1. Framing + context = engagement

One client recently spoke to me about their challenges engaging colleagues in cyber security when they don’t work with computers on a daily basis.

Another described a complacent culture where everyone thinks “it won’t happen to us”.

And then there was the client with a deeply creative culture, where people thought cyber security would simply stand in their way.

My initial diagnosis of all these complaints was essentially the same, but how we then treated the problem varied quite a bit.

In cyber security awareness, we often speak of the need to explain the ‘why’. That is the first half of tackling the three problems above (and so many others) when it comes to raising cyber security awareness.

That helps us frame cyber security in a way that is more impactful for our audience.

But that is only half of what I like to call the cyber security engagement equation.

The second half of the equation is to tackle ‘why me?’. This provides the context, helping people understand not just why cyber security is relevant, but why it is relevant to them.

Address this equation first if you want people to engage in awareness-raising, which itself is the first step in behavioural change.

Framing ("why?") + Context ("why me?") = Engagement
If you want people to engage in awareness-raising, answer "why?" and "why me?"

If you haven’t read Sinek’s 'Start With Why', it’s a great book to get into the mindset of addressing ‘why’ and ‘why me’. Sinek's TED Talk is a good place to start.

2. A problem without a solution is not their problem

Hold the front page: I have a big issue with fear-mongering cyber security awareness. Anyone familiar with my work knows that we can’t scare people into security is a hill I will die on. I first gave a keynote about this in 2014 (at Bsides Manchester) and you can check out my RSA 2020 keynote on cyber security and the psychology of fear.

Here’s a little clip of what I had to say:

I have an even bigger problem with cyber security awareness-raising that scares people AND offers no solution.

Let’s say you’re raising awareness of passwords. You want everyone in your organisation to use complex, unique passwords for all of their accounts. If you don’t have single sign-on or a password manager, what are you asking people to do? Remember them?

Add in enforced password changes and this just went from unreasonable to impossible.

We don’t inspire positive behavioural change by scaring people. We inspire positive behavioural change by proportionately communicating the threat and then focusing on the actions people can take to protect themselves. And if we’re asking people to change their behaviour, we’d better have a realistic way for them to do that.

Awareness-raising cannot fix a problem for which you are not offering a solution. We need to provide the tools for people to practice secure behaviours.

Metrics matter

Perhaps you were drawn to read this blogpost partly by the reference to 50,000 people in the title.

Some of you were probably sceptical of the number. And you were right to be.

It’s not 50,000 people; it’s way more than that. The figure of 50,000 people comes from just the last few years, when I started keeping track. And it's only the participants from live awareness sessions, not including those who watch our awareness raising videos, for example.

A big mistake I made was not keeping track of the numbers earlier in my career. The number is probably around 100,000 but I don’t really know, because I didn’t keep track.

Don’t make the mistake that I made. Identify metrics as soon as possible in your awareness-raising and track them. Sometimes, people worry about identifying the right metrics for human cyber. Don’t. Metrics take practice; start tracking and then worry about refining them. But if you don’t start tracking, you won’t identify what works and what doesn’t.

Some awareness, behaviour and culture metrics to consider:

  • report rate of incidents, near-misses and simulated phishes (don’t worry so much about the click rate, which I talk more about here)

  • engagement with your content, from blog posts to emails to external speaking sessions

  • number of questions and requests coming in to your security team

  • how people in your organisation feel about security, and how this impacts their behaviours (our culture assessment can help with this)

In this blogpost I’ve talked about the need to focus on framing ("why?") plus context ("why me?") if we want to build engagement. I’ve shared the golden rule of focusing on solutions over fear. And I’ve covered the importance of metrics, with a few ideas on some awareness, behaviour and culture metrics that you could track (if you aren’t already).

If you want to know how Cygenta can support cyber security awareness, behaviour and culture in your organisation, please get in touch.

And don’t miss some news exciting news coming from us soon. Lots of our clients want to scale up their awareness, behaviour and culture programmes and we'e going to make it easier to do just that. Sign up to our mailing list to stay in the loop!


Related Posts

See All


Jeffrey Glenn
Jeffrey Glenn

I appreciate Henry for making me realise the truth to a certified hacker who knows a lot about what he is doing. I strongly recommend you hire him because he’s the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphone cloning,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker.Thank me later. Contact him here., and you can text, call and Whatsapp him on +1(201)4305865, or +1(219)7960574.....


Agnes Lizzy
Agnes Lizzy

Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,…


Janet Lucy
Janet Lucy

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, and you can text, call him on whatsapp…

bottom of page