Learn why security awareness alone fails to prevent human error and how technical controls, and strong security culture can reduce risk.
Every year, statistics are published on the top root causes of cyber breaches. The human element is notoriously present in one of the top places. It’s no surprise, then, that a fair share of effort goes to security awareness activities. Yet, despite these initiatives, the trend is not changing dramatically, and human errors continue to occur, often leading to major incidents, such as compromised credentials and infected machines.
In the security world, it is common to hear that users are the weakest link in the security chain (raise your hand if this phrase showed up in your recent awareness training). Such statements shift the focus away from technology and onto people, suggesting that people are the problem. But the issue isn’t just that users make mistakes – it’s that many organizations fail to take a holistic approach that integrates technical controls, security-by-design principles and effective training, which actually change behavior. Without it, companies leave major gaps in their defense strategy.
Why Security Awareness Training Fails
While security awareness training is considered common practice in many organizations, these programs often serve compliance purposes rather than driving real behavioral change. Employees sit through annual, outdated training that feels like a corporate obligation rather than something practical. Instead of embedding security into daily operations, organizations overwhelm employees with generic recommendations that are quickly forgotten. Since the goal is often to pass a mandatory quiz rather than adopting security concepts, the lessons rarely lead to meaningful behavioral change.
Another reason awareness programs fail is that they teach users to spot warning signs like misspellings, suspicious links, and urgent requests. While this has some benefits, modern attacks have become more sophisticated. As observed in our latest Field Report, there is increasing use of generative AI tools to make scam messages more convincing. Relying on users to detect every threat is not an effective strategy.
Beyond outdated training methods, security can be perceived as a set of guidelines rather than an enforceable process. For example, employees are told not to reuse passwords, but without implementing systems like password managers that can help the users, or enforcing policies, these recommendations can be easily ignored. When security behaviors aren’t built into daily operations, employees view them as suggestions rather than requirements.
In some cases, employees don’t see security as part of their job. Many believe cybersecurity is the IT or security team’s responsibility, not theirs. Without clear incentives or a “What’s in it for me?” mindset, security best practices often lose to convenience. Employees will prioritize getting their work done as quickly as possible, sometimes at the cost of taking shortcuts like sharing passwords or bypassing security controls. If security feels like a burden rather than a natural part of work, people will tend to choose the path of least resistance.
Given these challenges, it’s clear that traditional awareness training alone is not enough. Human mistakes are inevitable, and security efforts must shift from simply ‘educating’ users to reducing opportunities for errors through well-designed technical controls.
Mitigating User Mistakes with Technology
People don’t always make the same decisions throughout the day – distractions, fatigue, and urgency all impact judgment. That’s why even the most comprehensive security awareness program is not enough. Organizations need built-in security mechanisms that not only help users avoid mistakes but also provide fail-safes when they happen.
In every awareness program there are fundamental themes that always repeat themselves – passwords and emails. Users are told to choose strong passwords, long, with symbols and digits, and we want them to change them every couple of months. Many times, users also have more than one password. This is the point where reusing credentials, storing them insecurely, or choosing weak variations comes into play. This creates a direct path to identity compromise. In order to avoid that, security teams can implement multiple tools that are able to help. For example, enforcing Single Sign-On (SSO) ensures users only need one set of credentials for all company applications. For cases where multiple passwords are still necessary, organizations should provide password manager solutions. Avoid the chase of which passwords are considered strong enough by implementing passwordless solutions, such as FIDO2 keys, that also provide phishing-resistant protection.
Another common focus in awareness training is email security, particularly phishing risks. Eliminating URLs from emails isn’t realistic, and users will inevitably click links. Instead of expecting users to identify every phishing attempt, organizations should implement automated security controls that reduce the risk before a mistake happens. URL scanning solutions can inspect links before a user clicks, blocking access to known malicious sites. If a user does click a suspicious link, browser isolation can contain the threat by opening the link in a secure virtualized environment, or to prevent the user from entering information into text fields – depending on the arsenal of controls.
File and application handling is another common concern, especially when end users require administrative permissions. Same as before, preventing attachments in emails or file downloads completely is not realistic for the vast majority of the organizations. Nevertheless, this risk can be mitigated by fail-safe controls – such as application allowlisting, which ensures only approved applications are allowed to run. Elevated permissions can be granted temporarily using a Just-in-time solution, or by utilizing an Endpoint Privilege Management tool that elevates permissions to specific process or application. These controls allow security teams to provide solutions that support business requirements, but in a secure manner.
Setting applications with secure default configurations can be an effective method to prevent mistakes before they happen. For example, sharing settings in collaboration platforms often provide capabilities to restrict the sharing of data with external parties. Organizations that require this capability can choose to allow external sharing but set the default option to internal users, to minimize mistakes that might lead to data leakage. This approach is another way that companies can adopt to integrate security into business processes from the start.
At the same time, security must also be practical. If security controls are too rigid, users will bypass them. For example, when employees need new software, a complex or frustrating approval process will push them to find their own solutions, creating Shadow IT instances across the organization. When you inflate a balloon too much, at some point it bursts. Similarly, when security controls are too restrictive, users may ‘break out’ and find ways to circumvent them.
Security teams should evaluate how to enforce security standards that minimize opportunities for mistakes. By combining technical controls with usability, organizations can significantly reduce human error while ensuring security does not become a barrier to productivity.
Creating a Positive Security Culture
Technology plays a critical role in minimizing users’ mistakes, but security awareness and technical controls alone are not enough. This is where security culture comes into play. A strong security culture ensures that security isn’t just a set of rules – it becomes part of how employees work and behave.
Security culture is not established through one-time training. It requires ongoing maintenance and a deep understanding of how employees perceive security. If employees see security as a compliance requirement rather than a shared responsibility, they won’t prioritize it. Organizations should regularly assess their security culture – gathering feedback on policies, identifying knowledge gaps, and understanding how employees feel about the security team. With this information, organizations can tailor security initiatives to address focus areas raised from the field.
Making security a natural part of workplace norms is key to changing behavior. There are several methods this can be achieved. A no-blame policy ensures that employees feel comfortable reporting incidents rather than hiding them out of fear of consequences. Employees are more likely to follow security practices if they see their colleagues doing the same, and encouraging employees to report suspicious activity or admit mistakes without fear of punishment helps create an environment where security is proactive rather than reactive. In addition, making security relevant to employees’ daily lives, such as safeguarding personal devices, banking accounts, and social media, fosters a stronger connection to workplace security practices. With that, it is more likely that employees will follow the same principles at work.
Security teams should also be seen as enablers, not blockers. Security should support employees in doing their jobs safely, rather than making their work harder. Meeting with different business stakeholders to align security with operational needs helps remove unnecessary roadblocks. A security team that collaborates rather than dictates is more likely to be embraced by the organization. Employees should have easy ways to ask security-related questions without hesitation. One way to achieve this could be through Slack or Teams “Ask Me” security channels. These can provide a place for an open, less formal space where employees can get security guidance and help. Instead of being the “Department of No,” security teams should embed security into business processes in a way that minimizes friction while maintaining strong protections.
That said, security culture efforts must be supported by the leadership. If executives and managers don’t take security seriously, employees won’t either. Leadership should communicate the importance of security and actively support security initiatives. When security is prioritized at all levels of the organization, it becomes a shared responsibility.
A strong security culture doesn’t happen overnight. It takes continuous work, alignment with business needs, and a commitment to making security both accessible and beneficial. Prioritizing low-hanging fruit can generate quick, visible wins that signal a positive shift. This will allow you to set the stage for some more complex initiatives, while presenting a momentum force as part of a bigger plan where security is considered a partner and not a blocker.
Conclusion
The key to reducing human error is not just preventing mistakes but creating an environment where mistakes are less impactful and harder to make. A strong security posture is achieved by integrating security into daily operations, rather than relying solely on user awareness.
Technical controls must be at the core of security efforts – modern authentication, access controls and endpoint protections provide a strong defense that doesn’t rely on users making the right decisions every time. Without these controls, supported by a strong security culture, even the best security awareness programs will fall short.
To sum up, in order to strengthen security posture, organizations should:
- Survey employees on security practices to understand their perceptions, identify pain points, and improve engagement.
- Assess the current security posture by evaluating controls that complement user behavior, such as SSO, Password managers, Application allowlisting, and advanced email scanning.
- Implement phishing-resistant authentication (e.g., passwordless logins, FIDO2 keys).
- Foster a no-blame policy and provide approachable security knowledge through channels like “Ask Me” security chats, Lunch & Learns, and roundtables.
- Leverage leadership influence to promote secure behaviors.
At the end of the day, security isn’t just about stopping mistakes – it’s about ensuring that when they happen, they don’t lead to disaster.
About the Author
Koby Zvirsh is a Cyber Security Consultant at Sygnia. He is an Information Security expert with over 15 years of experience in startups and global enterprises. Koby holds an extensive background in multiple disciplines such as: Security Management, Product Security, Cloud Security, Project Management, Risk Management, Privacy, Compliance Audits, Modern Workforce, Endpoint Security, Incident Response, Resiliency, Zero TrustFirst. Koby can be reached online at LinkedIn
