Beyond the Checkbox: Confronting the Elephant in the Inbox to Build a Security Culture That Sticks

Last quarter, I sat in a boardroom with the CISO of a mid-sized organisation. They were proud  “100% of staff completed the quarterly LMS module,” they said.

On paper, compliance was perfect. In reality? Staff were clicking through while juggling emails, calendar invites, and Teams notifications. Awareness? Practically zero.

Research shows that up to 75% of employees forget training content within a week (Gitnux, 2025). So even when everyone completes the module, the impact is fleeting.

This is the reality in most organisations: posters on walls, mandatory online modules, and phishing simulations arrive like background noise, visible, but mostly ignored. The system is designed to tick boxes, not build culture. Vendors sell polished videos, interactive content, even Netflix-style platforms, but the truth is, security isn’t entertainment. Outside our little information security  bubble, nobody wakes up thinking about malware or phishing. People wake up thinking about deadlines, and customers.

So how can you tell if your organisation’s “security awareness” is doing its job? What does real engagement look like? And most importantly, how do you create a culture where employees truly see security as part of their work, not an imposition?

Training numbers tell one story; behaviour tells another. By examining client experiences and metrics, we can uncover the gap between compliance and culture. The question isn’t whether you ran awareness training, it’s whether employees live security every day.

Key Takeaways

• Tick-box training fails – annual LMS modules and punitive phishing tests deliver compliance metrics but don’t build lasting awareness or secure habits.
• Real culture shows in behaviour – reporting suspicious emails, avoiding shadow IT, and adopting secure workflows are better indicators than quiz scores.
• Fear blocks learning – punishments drive avoidance, while coaching and positive reinforcement improve engagement and resilience.
• Shadow IT = cultural signal – staff use unapproved tools when secure options are slow or restrictive; fixing this requires visibility and collaboration, not crackdowns.
• Make security frictionless – integrate safe behaviour into workflows, tie policies to business risk, and empower staff to report mistakes without blame.
• Measure what matters – track reporting rates, participation, and risk reduction, not just completion percentages, to gauge true security culture.

The Dentist (or In-Laws) Problem

Most awareness training in organisations lands about as well as a dental check-up or, for some, a visit from the in-laws. You don’t look forward to it. You don’t feel like it’s the best use of your time. You endure it because you have to. And while you’re nodding along, your mind is elsewhere; answering emails, planning tomorrow’s deadlines, or scrolling through your phone.

I’ve seen this play out across organisations of all sizes. At one organisation, employees were required to complete a 45-minute learning management system (LMS) module every quarter. Compliance was 100%, but the actual engagement? Minimal. Staff had mastered the art of letting the video run in the background, blitzing through the quiz at the end, and closing the tab with relief.

Awareness was technically happening, but awareness itself was largely absent.

The numbers support this human behaviour. Research shows that 75% of employees forget training content within a week (Gitnux, 2025), and only 13% of organisations extend training beyond mandatory completion (Gitnux, 2025). Even when employees engage, much of it is superficial. The content isn’t sticking, because it feels imposed and disconnected from their daily reality.

This isn’t about shaming employees, they’re busy, human, and naturally take the path of least resistance. But if your organisation’s security culture treats awareness like a chore rather than a core part of the workday, you’re inadvertently building resentment, not resilience. Training becomes a speed bump to click past, not a guide to understanding risk.

The takeaway? Engagement isn’t just about the content quality, it’s about context, relevance, and integration into real work. When people see security as an interruption rather than a tool, even the best training fails to move the needle. And that’s your first warning sign that your culture might be stuck in tick-box mode.

Three Strikes and You’re Out (Or Are You?)

How many times have you watched someone hover over an email, cursor trembling, debating whether to click, while you silently judge them? I’ve seen it dozens of times, not because people are careless, but because the rules around phishing tests are stricter than a tax audit. Fail too many simulated attacks, and suddenly you’re on retraining, or worse, under the watchful eye of IT and HR.

The intent is understandable. One slip, one wrong click, and consequences in the real world can be serious. But here’s the catch: fear doesn’t teach awareness, it blocks it.

Employees start reacting instead of thinking. They click hurriedly to get the exercise over with, forward every suspicious email without consideration, or avoid initiative entirely. Awareness becomes a game of avoidance, not learning.

Metrics often tell a misleading story. For example, industry reports show an 86% global reduction in phishing click rates after training. Sounds impressive, right? But dig deeper: open rates, reporting behaviour, and proactive questioning often lag far behind.

Studies show that 71% of employees fall for social engineering attacks, and 44% of new hires are more likely to click malicious links (ITPro, 2025). Punitive tests might reduce one metric but don’t improve real-world resilience.

I’ve sat in meetings where staff described the feeling as “everyone’s afraid to breathe near an email.” The fear spread quickly: cautiousness replaced understanding, and security teams became the “bad guys” in the eyes of the organisation. Reporting dropped, collaboration stalled, and the phishing tests lost their educational value entirely.

The organisations that thrive aren’t the ones with the strictest click thresholds, they’re the ones where employees feel safe to make mistakes, ask questions, and escalate concerns. They measure success not just by reduced click rates, but by engagement, confidence, and reporting activity. Real culture comes from dialogue, coaching, and integrating security into everyday decisions, not fear.

Forward-thinking teams frame phishing simulations as learning exercises rather than traps. They reward curiosity, celebrate improvement, and track reporting metrics, not just “who clicked what.” Because at the end of the day, culture trumps compliance every time.

The Alley No One Talks About

Shadow IT is the digital equivalent of a dimly lit alley no one wants to walk down, until something goes wrong. It’s convenient, invisible, and dangerously tempting. Most employees don’t intend to cause harm; they’re just trying to get work done without fighting bureaucracy. The shortcuts they take, however, can leave serious vulnerabilities lying in wait.

I remember working at a tech startup: fast-moving, hyper-innovative, and everyone under tight deadlines. Developers spun up collaboration apps on the fly, marketing purchased analytics platforms on personal cards, and sales deployed a handful of unvetted CRMs.

On the surface, everyone was solving real problems. Underneath, over 20 untracked applications were storing sensitive company data, completely outside of IT’s visibility. One misconfigured folder, one forgotten subscription, and you’ve got a potential breach waiting to happen.

This isn’t just a technical problem, it’s cultural. When the approved tools feel slow, restrictive, or hard to access, people naturally take the path of least resistance. Studies show that over 60% of employees admit to using unauthorised SaaS apps, and 43% of breaches are linked to shadow IT or misconfigured cloud applications (Ponemon Institute, 2023; Gartner, 2024). Shadow IT isn’t laziness or done maliciously, it’s a signal that sanctioned processes aren’t keeping pace with how people actually work.

The organisations that manage shadow IT effectively don’t crack down; they build visibility and trust. They ask, “How can we empower employees to innovate safely?” instead of “How do we catch them using the wrong tool?” When secure tools are integrated seamlessly into daily workflows, shadow IT naturally diminishes. Culture feeds into the motivation, actions, and triggers of individuals which in turn drives their behaviour. If the official path is easier, safer, and faster, people will take it.

Security isn’t about policing, it’s about lighting the alley, putting up signs, and making the safe path the obvious choice.

When Compliance Pretends to Be Culture

Security awareness isn’t just about ticking boxes. Completion rates, click percentages, and policy sign-offs might look good on paper, but they don’t reveal whether people are actually thinking about risk when no one is watching. Real culture shows itself in behaviour, decision-making, and whether security is part of everyday work. Not a once-a-year obligation.

Here are the telltale signs your organisation is trapped in tick-box mode:

1. Training is mandatory, but nobody remembers it
   Employees click through 45-minute LMS modules, blitz the quiz at the end, and promptly forget everything. If the lessons don’t stick, the programme is like a fire drill with no follow-up: impressive on paper, useless in practice.
2. Phishing tests are punitive rather than instructive
   Employees click hurriedly, forward every suspicious email to IT, or avoid initiative. There are multiple vendors and organisations showcasing metrics that show reduced click rates post-training, but reporting remains inconsistent. Fear might reduce one number, but it doesn’t build awareness.
3. Security is siloed from daily workflows
   If IT and infosec teams only appear during audits or crises, shadow IT flourishes. Employees take shortcuts because the sanctioned path is too slow or cumbersome. Culture drives behaviour: if your tools are hard to use, people will improvise.
4. Compliance drives decisions, not risk awareness
   Following frameworks and checklists is necessary, but if it’s the only goal, people comply without understanding. Your organisation can be “secure on paper,” but real risk hides in behaviour gaps.
5. People don’t feel empowered to report mistakes
   Fear of blame suppresses reporting. Studies show that many breaches begin with small, unreported errors (Verizon Data Breach Investigations Report, 2024). Culture that punishes mistakes stifles learning and leaves risk unaddressed.
6. Engagement is superficial
   Posters, email reminders, and yearly videos might catch the eye, but they don’t create or build understanding. Culture isn’t built by passive consumption. It’s built by integrating security into daily work decisions.
7. Security is perceived as the “bad guy”
   Rigid policies, punitive tests, and last-minute audits position security teams as enforcers. People push back, circumvent rules, and ignore guidance. Trust and collaboration are essential; without them, awareness becomes a once a year show at the compliance theatre.

Tick-box culture isn’t irreversible. The organisations that thrive are those that integrate learning into workflows, encourage reporting, and treat mistakes as opportunities for improvement. Metrics like reporting rates, engagement in security discussions, and proactive mitigation measures are far more telling than quiz scores or click percentages.

Turning Awareness into Action

Let’s face it, most people aren’t ignoring security because they don’t care. They’re busy, distracted, and trying to get their work done. Security often sits on top of everything else like a speed bump: necessary, annoying, and easy to glide past if you’re in a hurry. That’s why building real awareness takes more than a checklist; it’s about making security part of the flow of work, not an interruption.

Here’s how you can start nudging your organisation away from tick-box culture and toward genuine security awareness:

1. Make security part of the workflow, not an interruption
   People will always take the path of least resistance. Don’t fight it, use it. Integrate secure tools into daily workflows. Make reporting suspicious activity as easy as forwarding an email or clicking a button in an app they already use. When secure behaviour is frictionless, it becomes habit.
2. Shift from punishment to coaching
   Fear may get attention, but it doesn’t build awareness. Phishing simulations should be framed as learning exercises, not traps. When someone falls for a test, walk them through what to look for, celebrate improvement, and encourage questions. Track reporting rates, not just click rates.
3. Build visibility without micromanaging
   Shadow IT thrives in gaps. Give teams visibility into where data lives, who owns it, and what’s secure. Collaborate with teams, don’t chase them. Educate staff on risk rather than policing them. Turning unknowns into knowns is a cultural win.
4. Connect compliance to real risk
   Frameworks and standards are important, but don’t let them become the only goal. Tie security objectives to actual business outcomes. Ask: “Does this process reduce the chance of a breach that could cost us millions? Does it protect our clients’ data?” When staff see the ‘why’, compliance becomes meaningful.
5. Encourage learning from mistakes
   Henry Ford said “The only real mistake is the one from which we learn nothing”. Mistakes happen, it’s human. Instead of blame, create a culture where errors are discussed openly, lessons are shared, and improvements are celebrated. Studies show unreported minor errors often escalate into serious breaches (Verizon DBIR, 2024). Awareness starts with safe reporting.
6. Measure what matters
   Move beyond quiz scores and completion percentages. Track:

• Reporting of suspicious activity
• Participation in security discussions
• Adoption of secure workflows
• Reduction in risky behaviours

These metrics reflect real awareness and engagement, rather than surface-level compliance.

Reflection Questions for Leadership

Some reflective questions for you to ask yourself before closing the quarterly report or ticking another compliance box:

1. Are we training people to understand risk, or just to avoid blame?
2. Do our staff feel empowered to report mistakes and ask questions?
3. Are our tools and processes designed to make secure behaviour the easy choice?
4. How many unknown systems or shadow IT tools exist? What’s our plan to bring them into view? How are we going to manage this going forward?
5. Are we measuring culture, not just compliance metrics?

Culture can’t be dictated. It must be nurtured, grown, and understood from the ground up. Asking these questions is the first step toward a security culture that actually sticks.

From Awareness to Habit: Making Security Part of Everyday Work

Security isn’t a checklist, a policy manual, or a once-a-year training module. It’s the small, daily decisions your people make: opening an email, sharing a document, choosing a tool for a project. Each choice carries weight, whether anyone realises it or not. Think of your organisation like a city full of tiny sparks, one misstep, one shortcut, and a fire could start in a back alley before anyone notices.

The organisations that thrive aren’t the ones with perfect compliance metrics. They’re the ones who understand how people actually work, how they think under pressure, and how they respond when shortcuts are tempting. They integrate security into the rhythm of daily life, not as a barrier, but as part of the flow. They create spaces where mistakes can be reported safely, lessons are shared openly, and learning is continuous.

Throughout this article we’ve shared the common things that indicate security awareness is ticking-boxes:

• Phishing tests that scare rather than teach
• Shadow IT that sneaks past visibility
• Training that disappears from memory within a week

These aren’t failures of your people, they’re reflections of systems and cultures that haven’t caught up with reality. The path forward is simple in theory: meet people where they are, make secure behaviour the default, and reward understanding over compliance.

Through removing the obstacles and roadblocks of the path and shining a bright light down the unlit ally you can give the individual visibility to make the most secure choice.

The ultimate question regarding your security awareness is: are we making security something to fear, or something to live with comfortably, intelligently, and collaboratively? The organisations that get this balance right don’t just survive, they thrive. They turn awareness into habit, fear into understanding, and compliance into culture.

Security awareness will never be perfect. It never has been, and it never will be. But with thoughtful leadership, empathy for human behaviour, and a focus on practical, day-to-day choices, you can build a culture that doesn’t just check boxes, it protects, empowers, and endures.

Drew Heron, Information Security Consultant at DigitalXRAID, is an experienced GRC Specialist, who excels in maintaining Information Security Management Systems (ISMS) and overseeing various cybersecurity governance and risk functions.